Are Housing Associations risking resident safety with poor data protection?

The Information Commissioner's Office (ICO) has issued a critical warning to housing associations across the UK. 

What for? 

Compliance with the GDPR and the Data Protection Act (DPA). 

The ICO's warning responds to a range of complaints about data protection failures in housing organisations. These issues range from the nature of the data handled, and the risks stemming from poor data protection practices - to specific vulnerabilities of certain resident groups.

This comes in the wake of significant data breaches in the sector, including the 2022 incident at Clarion, the UK's largest Housing Association. Clarion, which managed 125,000 homes, experienced a cyberattack that disrupted its phone lines and other IT systems, and advised tenants not to contact the company by phone unless they required emergency repairs. 

Additionally, a survey by Phoenix and the National Housing Federation (NHF) revealed that only 4% of housing associations felt fully prepared for a ransomware attack. 

With almost half of the housing associations struggling to recruit and retain cybersecurity staff, it raises the question: are data practices being properly handled?


How do these data breaches impact real people?

The ICO’s warning brought three specific cases to light, each with different impacts on real-life people. 

In the case of Mr A, his housing association inappropriately shared his health information with a legal advisor, without a lawful basis or his consent. This misstep not only breached data protection laws but also inflicted severe emotional distress on Mr A, which meant he lost faith in his housing provider and ultimately sought accommodation elsewhere. 

With Ms B, her request for essential repair information was denied under the mistaken pretext of data protection. This impeded timely repair work and led to additional damage and costs. 

In Ms C’s case, after reporting property damage due to damp and mould, her complaints were neither timely addressed nor properly recorded. The neglect culminated in the Housing Ombudsman Service intervening and ordering compensation for her. 

These cases collectively emphasise the profound impact that data protection and record-keeping practices have on the lives of residents. They bring to light the human element in data protection, where lapses can lead to distress, financial loss, and a loss of trust.


How can housing associations regain faith?

To address these challenges, the ICO advises housing associations to implement meaningful changes, including:

  • Staff training: prioritise comprehensive training to enhance understanding and implementation of data protection obligations.

  • Good records management: emphasise the importance of maintaining accurate records to efficiently address resident issues and support.

  • Transparency with residents: ensure clear communication regarding the collection and use of residents' data.

  • Appointing a data protection officer (DPO): recognise the need for a DPO in specific scenarios to oversee data protection strategies.

  • Data sharing resources: encourage the use of ICO’s resources for lawful data sharing.


The ICO's warning serves as a crucial call-to-action for housing associations. It's not just about compliance but about safeguarding the trust and well-being of residents. By embracing robust data protection practices, housing associations can not only mitigate risks but also enhance the quality of service and security they provide to their communities.

This warning also underscores a critical need for stringent management of video data - to ensure surveillance and other video recordings respect residents' privacy rights, in compliance with GDPR and DPA 2018. This requires a careful balance between security measures and the potential for intrusive breaches of personal privacy in residential settings. Anonymisation effectively balances security and privacy in such environments by removing personal identifiers in video data. This allows for reliable security footage without unnecessarily compromising privacy.


 Start properly protecting your video data today

Previous
Previous

The liar’s dividend: how are deepfakes impacting the justice system?

Next
Next

The impact of AI-driven surveillance on policing in America