English | Cymraeg Tel: 029 2076 5760 Connect: Twitter

Protecting personal information in housing

David Teague shares practical advice from the Information Commissioner’s Office (ICO) to help housing organisations protect residents’ personal information and keep their systems secure.

In order to provide accommodation, services and support to residents, all housing organisations must process personal information. This can be anything from someone’s contact details to sensitive information such as their medical records. Anyone who processes personal information has a responsibility to protect it under data protection law. This includes keeping it secure, ensuring it is accurate and being transparent with people about how you plan to use it.

As the UK’s data protection regulator, we want to support all organisations in the housing sector to handle personal information responsibly and lawfully. Prioritising basic steps, such as staff training, double-checking records and restricting access can help to prevent personal data breaches before they happen, reducing the risk of harm for residents. Good information security will also mitigate the risk of cyber-attacks and help to protect the personal information you hold.

We have highlighted some practical steps that housing organisations can take to ensure they have robust data protection practices in place:

Ensure training is thorough and relevant

All housing organisations must ensure that staff are properly trained so that they are aware of their data protection obligations. All staff must be fully trained on the correct processes and procedures involving personal information so they know when to escalate any breaches, and what records they are allowed to access. It is also important to make sure any training is role-specific, tailored and relevant to the tasks being completed. Staff should feel confident in handling people’s personal information securely and following the processes at their organisation.

Earlier this year, we issued a reprimand to Clyde Valley Housing Association for exposing residents’ personal information on an online customer portal. A resident called a customer service advisor to flag the data breach, but the adviser did not escalate their concerns. Our investigation found that the housing association failed to carry out adequate testing prior to the online customer portal going live and staff were not appropriately trained on how to escalate a breach.

Regularly check and double-check information is accurate

Housing organisations must take steps to ensure the personal information they hold is accurate and many breaches can be prevented by ensuring staff always double-check before any personal information is transferred, altered or disclosed. Frequently checking with people that the information and instructions held for them are still accurate could prevent information being disclosed to an old address, email address or contact number. Keeping an accurate record of contact with residents will also help you to address issues in a timely manner.

In 2022, we issued a reprimand to housing provider Bolton at Home for inappropriately disclosing the home address of a domestic abuse victim. Our investigation found that the housing association needed to be more careful with their record keeping to protect residents.

Have a system in place to support data sharing

Housing organisations may occasionally receive requests for information about their current and former residents from third parties, such as utility companies and debt collectors.

There are situations where it may be necessary to share personal information about residents with third parties and housing organisations should have an appropriate system in place. Having a system in place which requires senior members of staff, trained in data protection, to decide whether or not to release personal information on a case-by-case basis can reduce the likelihood of data being shared inappropriately. If a housing organisation decides to share personal information, it should only provide relevant, necessary information and make a record of the decision.

Taking steps to keep your systems secure, including:

  • Use strong passwords and multi-factor authentication: Make sure you use strong passwords on smartphones, laptops, tablets, email accounts and any other devices or accounts where personal information is stored. Where possible, you should consider using multi-factor authentication. This is a security measure to make sure the right person is accessing the data. It requires at least two separate forms of identification before access is granted.
  • Be wary of suspicious emails: You should be regularly monitoring for suspicious activity and investigating any unusual activity. Staff need to know how to handle suspicious emails and to report them promptly to relevant colleagues. Look out for demands for you to act urgently, requests for updated payment methods and unrequested password resets.
  • Install malware protection: And keep it up-to-date. Malware protection software can help protect your device against attack, but only if it is regularly updated and monitored. Act on any alerts, even if there has been successful removal.
  • Update software: Ensure that any software updates are run promptly. This makes sure that any security issues or vulnerabilities are fixed and reduces the chance of an attack.
  • Don’t keep data for longer than you need it: Getting rid of data you no longer need doesn’t just free up storage space, it’s a key principle of data protection. It means you have less personal information at risk if you suffer a cyber-attack or personal data breach.
  • Dispose of old IT equipment and records securely: You must make sure no personal data is left on computers, laptops, smartphones or any other digital devices, before you dispose of them. You could consider using deletion software or hire a specialist to wipe the data.
  • Report to the ICO: In the event of a cyber-attack, there is a regulatory requirement to report this to the ICO. We have also worked with NCSC to remind organisations not to pay a ransom in case of a cyber attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data.

The ICO is here to help both housing organisations and residents 

For further case studies about issues such as data sharing and accurate record keeping, the ICO has a blog specifically on how data protection law can prevent harm in the housing sector.

Any housing organisation that needs support to process or share personal information can find further guidance on our website or contact us for advice.

We are also here to support the public and ensure their data protection rights are respected. If anyone is concerned about how their data is being handled by an organisation, they can make a complaint to us here.

David Teague is head of Welsh affairs at the Information Commissioner’s Office

Sign up to our email newsletter

Every two months we'll email you a summary of the latest news & articles on the WHQ website. Better still, if you're a fully paid up magazine subscriber, you'll get access to the latest members-only articles as well.

Sign up for the email newsletter »

Looking to advertise in our magazine?

Advertising and sponsored features are a great way to raise your profile with our readership of housing and regeneration decision makers in Wales.

Find out more »