News and Events

Data Protection at Property Management Unwrapped 2016

What a superb event the Property Unwrapped Conference was last weekend! My first time attending as a recently joined ‘Brethertonian’. I was so impressed with both the firm for putting on such an event but also with the uptake. More than 140 attendees together with some interesting and informative speakers really made this a worthwhile event.

And so to Data Protection…we were very lucky and also incredibly grateful to the representatives of the Information Commissioner’s Office (ICO) for presenting a keynote speech to all attendees on the existing law and how it relates specifically to the Property Management industry. Of course there was an element of irony given that the results of the referendum had just been announced that morning; it was interesting to have the ICO’s view on the future of data protection generally and the reformed EU legislation due in 2018. The ICO has published a statement on their website, reiterating that the Data Protection Act remains the law of the land irrespective of the referendum result.
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case."

A statement from Donald Tusk, Head of the European Council also reads;

"I would also like to reassure you that there will be no legal vacuum. Until the United Kingdom formally leaves the European Union, EU law will continue to apply to and within the UK. And by this I mean rights and obligations."

Joff Gray from the ICO also confirmed that it is most likely that the new regulation will be incorporated into English law and so it seems that businesses would be mindful to proceed on this basis. 

We then held a seminar which enabled more detailed discussion of certain aspects. We looked at the definition of personal data and how in some circumstances this could simply constitute details about a property regardless of whether or not an individual is mentioned. Also, the obligations faced by property managing agents and how best to comply with these, ensuring that you have a process which addresses each part of the ‘story’ of the data. This means accounting for how the data is collected, who has access to it, how its accuracy is maintained, who the data is released to, how long it is kept for and what methods are used to destroy it. The importance of fairness in relation to the treatment of data was discussed together with how important communication is to all individuals, whether they are your clients, tenants, employees or other stakeholders – data protection law applies to any individual for whom you hold personal data and so the need to be clear, fair and trustworthy is of vital importance.  Any serious breach of data protection would be likely to result in a review of processes by the ICO and, of course, could result in financial penalty.

Rights of individuals were discussed and the way in which these can be exercised, particularly in relation to the right of access whereby an individual can request, and be supplied with, a copy of the data held about them. It seems this right is most used by those individuals who may have a history of making complaints or instigating disputes – certainly the experience I have had with clients over the last few months confirms this and further confirms the necessity to comply with the Act to avoid attracting unnecessary attention from the ICO as a result of an individual’s complaint.

Possibly the most important message that emerged from the day was the need for managing agents to make a distinction between their relationship with their clients and their obligations under the Data Protection Act 1998. Data controllers and data processors attract different levels of risk and therefore liability.  However, it seems likely that any managing agent will be deemed to be acting as controller in the course of their day to day management obligations and as such, consideration should be given to any information received from any source before it is automatically passed on to your clients.

These were just some of the topics covered over the course of the day and by no means encompasses all discussions.  If you would like any further guidance on the above or on any aspect of data protection law then please do get in touch with me.