GDPR and Social Housing – putting the GDPR in context

Preparing for the GDPR within the Housing Sector

Andrew Latham

January 2017

What we will be talking about

Potential trends in the sector Thinking about the GDPR in the context of the work you

are/may be doing: Mergers and employment Outsourcing Information sharing and joint working with other

agencies Vulnerable tenants and ASB

Other issues Q+A and your experiences

What does the next five years look like?External pressures

Brexit, Donald Trump, drones deliveries and driverless cars…

Market and economic volatility Continued decline in home ownership and affordability Continued squeeze on social care Impact of welfare reform (including roll out of Universal

Credit) Aging population continues to rise (in some areas rapidly) JAMS as a political priority 25 May 2018!

What does the next five years look like?Inside the sector

Impact of Welfare Reform Act and Housing and Planning Act 2016

Continued squeezes financially – rent cuts and reduction in income

Need to ‘do more with less’: efficiency, innovation, integration, diversification and outsourcing of services

Mergers between HAs Improvements in technology in the delivery of services Therefore greater use and exchange of (personal) data…

GDPR into the mix

Reinforces and updates rights of data subjects Reinforces and updates responsibilities of data controllers

(and processors) Much more emphasis for data controllers on demonstrating

how things are being done in a way which is fair and lawful “Lawfulness, fairness and transparency.” [Art 5 GDPR] Explicit accountability principle in Article 5. Record keeping/’show and tell’

Some new teeth (more on that later…) What we don’t yet know:

Extent of national provisions which can provide more specific rules (e.g. Article 23, Article 88)

Whose data are RPs processing?

Tenants and their families Potential customers

Other persons present in HA accommodation Employees Staff/data from partner organisations

What legitimising condition(s) are you relying on? (Article 6)

a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) The processing is necessary for compliance with a legal obligation to which the controller is subject;

d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms, particularly in the case of a child.

Special category (“sensitive”) personal dataArticle 9

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation

Criminal offences and convictions data falls outside GDPR and “shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”

Legitimising conditions for SCPD

Explicit consent Employment, social security Protecting vital interests where the data subject is physically or legally

incapable of giving consent Management of not-for-profit membership organisations Processing relates to personal data which are manifestly made public by

the data subject; Processing is necessary for the establishment, exercise or defence of

legal claims or whenever courts are acting in their judicial capacity; Processing is necessary for reasons of substantial public interest, which

shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

Healthcare, occupational health and public health and safety Scientific, historical archiving, research or statistical purposes.

Consent

Requirements under the GDPR are similar to the DPA: Consent must be freely given, specific, informed and

unambiguous The GDPR places an onus on the data controller to

demonstrate that consent was given Consent must be obtained in an easily accessible form, using

clear and plain language Must be a positive indication of agreement Reliance on consent triggers additional GDPR rights

Individuals must be able to withdraw their consent easily Processing data relating to children under 16 requires the consent

of the child’s parent or guardian

Fair processing information (article 13+14)

Contact details of the DC and the data protection officer Purpose and legal basis for processing The legitimate interests of the controller or third party, where applicable / right to withdraw consent Categories of personal data Any recipient or categories of recipients of the personal data Details of transfers to third country and safeguards Retention periods

Data subject’s rights The right to complain to the ICOThe source the personal data originates from and whether it came from publicly accessible sources Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data Information about profiling/automated decision taking

How are you going to be transparent?

Discussion point: How do you provide the above 13 categories of

information in a way which is “concise, easily accessible and easy to understand”?

Is such information best done all in one place, specific privacy documentation, or contextualised by reference to services (e.g. within employee/tenant handbook) – or all of the above?

Layered notices and ‘just in time’ Electronic means including visualisation Field test privacy information while you are developing it DPIAs

Applying GDPR: employment and mergers

Employment What data do you hold about employees? What do you use it for? What legitimising conditions to rely on?

Consent – problematic area (this may also be true of tenants in receipt of housing benefit etc. where ‘choice’ is limited/imbalance of power)

Contractual necessity Legitimate interests Employment condition for SCPD

Subject access rights

Mergers

It will almost certainly be necessary for information about employees (and potentially tenants) to be shared pre-merger as part of preparations/due diligence

Data minimisation – Article 5(1) Article 25 – Proportionality of data sharing (“organisational

measures to ensure that by default only personal data which are necessary for each specific purpose are processed)

DPIA Consider the nature of the merger – hard or soft?

If soft, need for data sharing agreement on an ongoing basis

How to balance transparency vs commercial interests/risk of prejudice

Outsourcing

Data processor definition remains broadly unchanged: “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller .”

A data processor acting beyond the instructions of the controller will be a controller itself.

Controller required choose a processor who provides “sufficient guarantees to implement appropriate technical and organisational measures in such manner that the processing will meet the requirements of this Regulation” i.e. more than simply security!

Outsourcing

Despite enhanced legal obligations on data processors, there are enhanced requirements for data processing agreements/contracts: Requirement to process only on documented

instructions Ensuring obligations of confidentiality; Assistance to the controller; Deletion or return of data processed (unless member

state law requires provision) Makes information available to controller

Joint working, vulnerable tenants and ASB

GDPR sits alongside other powers, duties and functions Social housing providers are subject to a number of

obligations to cooperate with other agencies – e.g. Anti-social Behaviour, Crime and Policing Act 2014

(community trigger tool) Criminal Justice Act 2003 (MAPPA)

Legitimising conditions: Consent? Public interest? Health?

Joint working, vulnerable tenants and ASB (2)

How to comply with Articles 13 and 14? Article 26 - where joint data controllers work together, they

must delineate their respective responsibilities “in a transparent manner.”

CapsticksWho we are and what we do

Market leading legal providers for the housing sector HALA panel member 10 lawyers dealing with Data Protection and information law

issues Advisory Transactional Litigation

24/7 service Consultancy – ASB, information sharing

Q+A and thank you!

Andrew LathamSenior Lawyer, Public LawCapsticks Solicitors LLP

020 8780 4674Andrew.latham@capsticks.com

@ajlhealthlaw

GDPR and Social Housing Principal legal risks and how to manage them

Preparing for the GDPR within the Housing Sector

Andrew Latham

January 2017

Current legal risks (1)What we are seeing

Increasing awareness of DPA obligations and enforceability of DPA rights by data subjects

DPA being pleaded in conjunction/alternative with other heads of action: tort of privacy, defamation, breach of confidence

Demise of s. 13(2) DPA – low threshold of ‘distress’ Damages/compensation for breaches ‘Death by a thousand cuts’ – one incident, many (low value)

claimants may not be insured (and may be within excess)

Current legal risks (2)What we are seeing

Litigation around subject access requests ICO enforcement action Vicarious liability for bad pennies + reputational risk

associated with ICO prosecutions of individuals (erosion of trust?)

Hacking and ransomware

Discussion point: what’s your experience?

Data protection – current issues in the Courts

Increased environment of damages for misuse of private information (post Gulati and Vidal Hall v Google, but see also quantum in TLT v Home Office, Andrea Brown v Met Police and Greater Manchester Police, PSNI case)

Subject access requests Disproportionate effort (Dawson-Damer v Taylor

Wessing) Third party data (DB v GMC)

DPP 7/GDPR Art 32

Controller (and processor) required to implement appropriate technological organisational measures to ensure a level of security appropriate to the risk, including, as appropriate: Pseudonymisation and encryption; The ability to ensure the ongoing confidentiality, integrity

availability and resilience of processing systems and services;

The ability to restore availability and accessibility of PD in a timely manner;

Testing and evaluation of technical and evaluation of organisational measures.

Compliance with Codes of Conduct and certification Staff act only on instructions

Duty to notify supervisory body (art 33)

Within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to rights and freedoms of individuals

Description of nature of breach, categories and numbers of individuals and records concerned;

Provide details of DPO Describe consequences of the breach Describe measures taken to address the breach May need to update/provide information in phases Maintain a register of breaches Is a breach an incident?

Duty to notify data subject (art 34)

When the breach is likely to result in a high risk to the data subject, the controller shall communicate the breach to the data subject without undue delay.

Communications need to be in clear and plain language. Data subject to be told at least:

Nature of breach Details of DPO Likely consequences of breach Measures taken to manage the risk.

When don’t you need to notify the data subject?

There are appropriate technical and organisational measures in place, in particular which render the data unintelligible

The controller has taken measures which ensure the risk to data subjects is unlikely to materialise

Telling the data subjects directly would involve disproportionate effort. If this is the case, need to give a public statement or

similar. ICO can tell you to contact data subjects if you haven’t done

so already.

GDPR provisions

Supervisory authority – articles 51-62 European Data Protection Board (articles 63-76)

Complaints to the SA (and judicial remedies against it) Judicial remedies against controllers and processors

(articles 79) Representation of data subjects/group litigation (article 80) Harmonisation of multi-national litigation (article 81) Compensation (article 82) Administrative fines (article 83) Penalties (article 84)

GDPR enforceability in more detail Article 77 + 78

Without prejudice to any other judicial or administrative remedy, every data subject shall have the right to lodge a complaint with a supervisory authority… [i.e. ICO]

Without prejudice to any other remedy, each legal person shall have right to an effective judicial remedy against a legally binding decision of a supervisory authority…

Claims and enforceabilityArticle 79 + 80

Without prejudice to any available administrative or non-judicial remedy [including complaints to the SA], each data subject shall have the right to effective judicial remedies where he or she considers that his or her rights have been infringed as a result of the processing of data…

As with DPA, claims are in parallel to ICO complaints Claims can be brought where the Data Controller is

established, or where the Data Subject is ‘habitually resident’.

Claims and enforceabilityArticle 82

(1) Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered

(2) Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with the obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the data controller.

(3) A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

Claims and enforceabilityArticle 82 (ctd)

(4) Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject. (5) Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered that controller or processor shall be entitled to claim back from the controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage in accordance with the conditions set out in paragraph 2.

Administrative fines and Supervisory Authority Powers - Article 83 and 58

Fines need to be “effective, proportionate and dissuasive” Additional or alternative to supervisory authority’s other

powers (art 58): Investigative powers

Require provision of information Data protection audits Correspondence with DC and DP Access to PD and to all information necessary Access to premises and equipment (subject to member

state law (warrants etc))

Administrative fines and Supervisory Authority Powers - Article 83 and 58 (ctd.)

Corrective powers Issuing warnings to controllers and processors (where likely

to infringe GDPR) Issue reprimands (where have infringed GDPR) Order compliance with DS rights Order controller to notify DS of data breach Stop notices (temporary and permanent) Power of SA to bring infringements to attention of the

Courts Possibility of additional national powers Advisory and authorisation powers

Fines (art 83) – factors the supervisory authority must take into account

Nature, gravity and duration of the infringement Numbers of data subjects affected and level of damage Nature, scope and purpose of processing

Intentional or negligent character of the infringement Mitigations taken by the data controller/processor History of relevant previous infringements (+ whether SA has

previously used Art 58 powers in respect of those) Degree of cooperation given to the ICO + whether the body self-

reported (how the SA came to know about the infringement) Categories of personal data affected Compliance with Codes of practice or certification mechanisms Other aggravating or mitigating factors

Fines – the €10m/2% turnover finesof particular relevance to social housing

Article 25 – Data protection by design Article 26 – Transparency in joint DC arrangements Article 28 – choice of data processor and contracts with

them Article 30 - Maintaining records of data processing activities Article 31 – Cooperation with ICO Article 32 – Security measures Article 33 + 34 – Notification of breaches to the ICO and to

DS Article 35+36 - Failure to undertake DPIA/consult with ICO Articles 38-39 – Failures in respect of DPO appointment etc.

Fines – the €20m/4% turnover finesof particular relevance to social housing

Articles 5, 6, 7 and 9 - Processing data without requisite legitimising conditions Demonstrability of consent where this is relied on

Articles 12-22 - Failure to comply with data subject’s rights Fair processing (Arts 12 - 14) Subject access (Art 15) Rectification, erasure and blocking, portability and

objection to automated decision taking (Arts 16-22) Data exports undertaken in an unsafe way (Arts 44-49) Failure to comply with Supervisory Authority enforcement

under Art 58 (see above)

Administrative fines and other sanctions (article 84)

For each member state to determine “whether and to what extent to impose administrative fines may be imposed on public authorities and bodies”

Member states may set additional rules on other penalties No restriction on the nature of penalties that may be adopted

(i.e. this can include criminal offences).

Member states to notify offences to EC by 25 May 2018.

Case study (1)

Ambridge Homes is a registered provider. It engages Retplod Security to install, manage and monitor CCTV services in its blocks. Whilst it has a written contract with Retplod, the provisions of the agreement are light on data protection responsibilities. The CCTV is recorded to an unencrypted solid state recorder in the services cabinet, and a feed also goes to the Retplod’s control room.

There is no indication in the block of Retplod’s role. Ambridge Homes also engages MopCo to provide estates

services. MopCo is not envisaged to process data and the agreement with them does not consider data protection issues.

The services cabinet is left unlocked by MopCo, and the front door of the block is propped open.

Case study (1) (cont’d)

Dave, a local opportunist thief, walks in and steals the hard drive. Ambridge does not know about the loss.

Carmina, a tenant, is shopping on Gumtree the next day. She sees a solid state drive for sale, and buys it.

She is surprised to find it has CCTV footage of her on it and is very upset.

What are the risks for Ambridge Homes? Who can Carmina bring a claim against (under the GDPR)? How could Ambridge have done things differently to manage the

risk better? Variant facts (1): there is a history of burglary in the area, which is

known to Ambridge. Does this change the risk? Variant facts (2): Ambridge is told of the loss. Should it tell

Carmina? Variant facts (3): What if the hard-drive is encrypted?

Case study (2)

Carmina then makes a subject access request to Ambridge Homes

Ambridge forwards the request to Retplod. Both Retplod and Ambridge fail to respond to the request

within a month. Ambridge has previously failed to respond to 10 other

subject access requests. Carmina complains to the ICO. What are the risks to Ambridge? How could Ambridge better manage this risk in the future?

Case study (3)

Ambridge is approached by CREDITCO, a credit referencing agency. CREDITCO suggest that sharing information about tenants’ rent payment can help to build a tenant’s credit history and help them to access finance in the future.

What issues does Ambridge need to think about in deciding whether or not to agree to supply information with CREDITCO?

What are the risks of sharing without first speaking to tenants?

Case study (4)

Robin is the subject of MAPPA arrangements. He is a registered sex offender and is a tenant of Ambridge.

He argues that information about him should not be shared with the MAPPA meeting/partner agencies, such as the police, probation service and local mental health service.

Robin quotes Article 17 (right to erasure/forgotten) and Article 21 (right to object to processing) to Ambridge and demands that they stop processing his data. He says that the data should be blocked in the meantime (Article 18).

Should Ambridge comply with his request?

Managing legal risks – some provisional views

Will we see an increase in enforcement activities? Question for the ICO!

Will we see an increase in claims? In our view, likely

So how to manage the risks? DPA compliance as a starting point Understand what data you’ve got and what you are

doing with it Planning activities carefully Ensuring everyone knows their responsibilities Working cooperatively with the ICO Care in language (particularly when reporting incidents) Insurance

Q+A and thank you!

Andrew LathamSenior Lawyer, Public LawCapsticks Solicitors LLP

020 8780 4674Andrew.latham@capsticks.com

@ajlhealthlaw