CPD module: data protection – supporting residents while also safeguarding their private information
Data protection is about more than compliance – it is about keeping customers safe and providing the best possible services. Rich Brameld, group head of data protection, nominated data protection officer and Caldicott Guardian at Riverside Group, explains more.
Read the article, take a test, earn CPD minutes
Learning outcomes
After reading this article, learners will be able to:
- Define the term ‘data protection’
- Describe why data protection is so important to the work of social landlords generally, and customer-facing staff specifically
- Define the term ‘personal data’, and provide some examples of such information
- Detail the difference between data that directly identifies an individual and that which could indirectly identify someone
- Talk through the general principles of integrating data protection into their work
- Describe how data protection comes into play when identifying residents who may need support
This CPD module offers general guidance on the principles of data protection. Every organisation will have its own guidance on this area, which the advice within this article is not intended to replace or supersede. The piece should be read in conjunction with local guidance and any queries referred to the learner’s own data protection colleagues.
Data protection involves ensuring that any personal data about customers is used appropriately, fairly and kept safe. It is something which UK social landlords have to do by law, but it is about more than compliance – it is about keeping customers and their families safe and providing the best possible services to them.
This CPD article describes the concepts of data protection and personal data, considers why they are important, details some broad principles for protecting data, and also looks at data protection specifically in the context of people who may need support. It is relevant to anyone working directly with social housing tenants.
What is data protection? What is personal data? Why are these concepts important?
In providing services to customers and communities, social landlords need to collect, use and share vast quantities of information. When this information can be used to identify a specific person, it is referred to as ‘personal data’. In the UK, organisations have a legal duty to ensure that personal data is used lawfully, transparently, securely and for purposes that have been specified as legitimate, while safeguarding the rights of individuals. Doing so makes sure that personal data is not used to make unfair or inappropriate decisions, or that it does not fall into the wrong hands – both of which could cause harm.
The importance of data protection in social housing therefore goes beyond just complying with the law. Respect and care for personal data, and its appropriate use, is the building block for strong relationships with customers. It creates trust and enables the delivery of excellent services, which are personalised and relevant.
Data protection is therefore highly relevant to anyone who has direct contact with customers. First and foremost, it is about protecting customers and making sure they are not placed at unnecessary risk.
What are some examples of personal data?
Names, addresses and contact details are the obvious examples of personal data that are used by social landlords to provide customer-facing services. Importantly, however, information does not have to directly identify someone outright to be considered personal data.
Think of a spreadsheet with information about people living in a block of 15 flats. The spreadsheet details the religion, gender, sexuality and number of dependants of each person. It contains no directly identifying data, though – so no names, addresses, customer numbers, email addresses, phone numbers or similar.
Imagine, however, that the spreadsheet shows that only two residents of the block have no dependants. The housing officer looking at the spreadsheet knows which residents have no children and knows that one is a single man and one is a single woman. This means that, by looking at the rows relating to number of dependants and gender, the housing officer could immediately identify the people to which those rows relate. They would know the sexualities and religions of these people – even though their names never appear on the spreadsheet, and perhaps even though the residents had been told this data would be used anonymously and not connected to them.
Even if a piece of information has to be combined with others before it could identify someone – almost like in the children’s game Guess Who? – it still counts at personal data.
How can customer-facing staff ensure they are protecting personal data appropriately?
The language and legal frameworks around data protection can make it feel complicated. However, the actions involved in getting it right are often fairly simple. For example:
- If asking a customer for a piece of information, explain why it is needed and how it is going to be used. This does not need to be a hugely technical or lengthy explanation. “Can I take your phone number so that I can call you back with an update on this?” would count.
- Make sure personal data is only accessed by those who need it to deliver services to a resident. It should not be accessed or shared beyond that.
- Keep personal data as safe as possible. That might mean password-protecting spreadsheets, or ensuring any paper documents are stored out of view.
The responsibility for interpreting the legal frameworks, how these apply to an organisation and then advising on compliance lies with the data protection officer and team. They will create guidance for the organisation, setting out exactly how it will ensure compliance on all this. By following these simple principles, frontline staff have a vital role to play in protecting data.
Laws and regulations affecting data protection in the UK
The main laws governing data protection in the UK are the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Recent years have seen tragic failings in the English social housing sector. In 2017, after years of residents repeatedly raising safety concerns about the building, there was a major fire at Grenfell Tower in west London. Then in 2020, after his parents had frequently complained about mould in their flat, two-year-old Awaab Ishak died from a respiratory condition caused by it.
The Social Housing (Regulation) Act, which came into force in 2023, aimed to address the factors which led to such failings. It requires English social landlords to collect more data about the customer, where relevant, to more easily identify and support individuals who need extra support.
What information should housing officers and other customer-facing staff be collecting on residents who need extra support? How should the information be recorded?
Customer-facing staff are critical to identifying residents who need extra support. Sometimes this is through direct customer communication – someone getting in touch to request debt support or food bank information, for instance.
At other times, it will be through observation. A housing officer visiting a property to deal with anti-social behaviour might notice, for instance, that the tenant has a pile of unopened letters from the NHS and boxes of unused medication. Clearly this could indicate some support needs and, as such, it is important personal information.
Different social landlords will have different policies detailing precisely what actions staff should take in these situations. Safeguarding issues clearly come into play alongside data protection.
Fundamentally, however, it is always sensible to record observed details which suggest someone’s extra support needs. Recording this information factually, without judgement or criticism of the individual, and sharing it with relevant support service teams can lead to timely and appropriate support.
For example: “There were 17 unopened NHS letters and a pile of unused inhalers in the property,” not, “The tenant had not bothered to clear away a pile of letters and medicine prior to my visit.”
If possible and appropriate, there should also be a conversation with the customer at the point at which a possibly concerning observation is made.
There is a common misperception that data protection laws prevent the collection and sharing of information that could help to support someone who is struggling; that it is a blocker to the work of social landlords. However, the law will not prevent the collection or use of personal data when it is necessary to provide vital support to an individual. It is simply about ensuring people’s personal data is treated with respect – as we would want our own such information to be.
Areas to reflect on
- What was your understanding of data protection prior to reading this piece? Has your understanding now changed? If so, how?
- What will you do differently having read this article?
- What one point in this piece do you want to share with colleagues who may not have read it? How will you share it?
Summary
Under UK law, organisations using personal data are required to protect that information. In providing services to customers, social landlords frequently collect and make use of such information – especially staff working directly with customers.
While overall responsibility for advising on data protection compliance lies with an organisation’s data protection team, all staff need to understand the concept and embed it in their work. This is not necessarily as complicated as it sounds. At its heart, it is about collecting, using and sharing any personal data with care, thought and sensitivity.
References and further reading
- ICO (Information Commissioner’s Office) “For organisations” ico.org.uk/for-organisations/
Latest stories
