11th October 2017

Does your privacy policy measure up?

Civica’s Executive Director, Housing & Asset Management Jeff Hewitt looks at the results of a recent survey into privacy policies for housing associations ahead of the 2018 GDPR legislation

Today’s housing associations provide a vital service to citizens, whether via small independent charities or multi-disciplinary groups; and when it comes to the collection and storage of extremely sensitive data, housing associations often hold vast amounts of records about both their clients and the communities they support. As well as general contact, tenancy and financial information, this data can include details on people living with a disability, as well as information on elderly or vulnerable people [1].

Equally, housing associations operate in a complex environment. They often provide additional services to tenants, use external contractors as well as collecting information digitally. This can mean that it’s far too easy to share sensitive data across different organisations and departments without recognising the legal implications, and even increased risk of data being lost or hacked.

GDPR: Ready or not

Regardless of Brexit, housing associations in the UK will be subject to the General Data Protection Regulation (GDPR) from May 2018 – legislation which will be strictly enforced. At its core, the regulation brings greater accountability and transparency for all organisations which collect, store and analyse personal information. The balance of power is shifting back to citizens, giving them greater control and re-enforcing their ‘right to be forgotten’ – which creates new obligations for organisations.

But before the GDPR comes into play, there are practical and important steps that housing associations should take; one of the first is to consider a thorough review of your organisation’s Privacy Policy.

In partnership with MyLife Digital, Civica compiled a recent report to help housing associations identify gaps in their Privacy Policy to better prepare for the GDPR. We’ve analysed the Privacy Policies of 100 housing associations across England, Scotland and Wales, while researching the requirements of the GDPR and reading the guidance from the Information Commissioner’s Office (ICO) regarding their findings against organisations that have breached the current Data Protection Act 1998.

Our research looked at a number of key measures of how the current privacy policies of the studied housing associations measured up. Here are some of the key findings: 

• Around 18% of housing associations do not have a privacy policy, which is substantially higher than the top 100 UK charities (8%) or local authorities (4%).

• A staggering 99% of housing associations do not mention profiling in their policies, while under the GDPR, it should clearly state how collected data is used to create profiles.

• Only 52% of privacy policies scrutinised showed a clear reference to sharing of data; a practice which is highly likely to occur in housing associations. 

• Looking at how long data is kept on record, the vast majority (96%) do not mention details; but under GDPR it will be essential to consider how long we retain data and verify this period has been considered and documented.

• One of the most significant changes under the GDPR is for housing associations (and all public bodies) to have a named data controller or processor. But only 12% clearly state a named person in their current privacy policy. 

Complying with GDPR will inevitably involve increased work, time and cost in implementing strategies and processes to comply. Yet, if done in the right way, the opportunity it creates to build or strengthen trust could well outweigh these issues. Now is the time to not only protect your organisation, but also go a step further; to truly build and deepen trust with your tenants.

To download the full research report, visit www.civica.com/housing or join the debate on GDPR: Ready or not at www.civica.com/gdpr

[1] https://ico.org.uk/media/action-weve-taken/audits-and-advisory-visits/1935/advisory-outcomes-report-social-housing-organisations.pdf