Data protection and landlords

Lorraine DindiLorraine Dindi
Last updated on:
August 24, 2022
Published on:
November 9, 2021

Read the privacy notice guide now

Read the Guide

How the UK’s data protection laws impact private landlords.

Even in a post-Brexit world, the European Union’s GDPR lives on in the UK through the Data Protection Act 2018. Since its inception, the GDPR was bound to be amongst the world’s strictest data protection laws as it imposes a duty on everyone who handles other individuals’ personal data to follow certain data protection principles. Naturally, this includes landlords who store and process the data of their tenants. Keep reading for an overview of the duties imposed by the current legislation on landlords and tips for how they can stay compliant.

What is personal data?

The current laws were enacted in 2018, which you may remember as the year of the Cambridge Analytica scandal, where 87 million Facebook users’ data was harvested and Mark Zuckerberg was summoned to the US Congress. 5 billion records were reported to have been breached that year. Big Tech was facing increasing scrutiny for how they handled their users’ data, and we all had to be held accountable, even landlords. Landlords handle information which relates to an identifiable person, such as names, addresses, ID documents and numbers. Along with certain email addresses and Internet Protocol (IP) addresses, this data is personal data because it can be used to identify a particular person. 

How should data be handled?

Data must be collected, processed and stored according to the following seven principles

  • Data processing must be lawful, fair, and transparent to the data subject;
  • Data must be processed for the legitimate purpose specified when it was collected;
  • Only as much data as is absolutely necessary for the purpose specified must be collected and processed;
  • Personal data must be accurate and up-to-date;
  • Personal data must be stored for only as long as necessary for the specified purpose;
  • Data must be processed in a way which ensures its security and integrity;
  • The data controller is responsible for demonstrating compliance with these principles.

This means that landlords must be upfront about why they are collecting a tenant’s data. While they may require a tenant’s consent in some cases to process personal data, there are other legal bases they may use. These include the fulfilment of contractual or legal obligations, such as passing information to a contractor to carry out mandatory repairs or carrying out a right to rent check, respectively. Another basis would be a legitimate interest, which is where an individual’s data is used in ways they would reasonably expect it to be used. 

What do tenants need to know?

It is important that tenants understand how a landlord will uphold their statutory rights in regard to data security. A good tenancy agreement will therefore explain this information. A landlord should notify a tenant of their GDPR rights, such as the right to request sight of any personal information of theirs that you hold. Tenants also have the right to be forgotten i.e. they can request for all information held by a landlord on them to be removed or deleted.

It is advisable that a landlord draw up a fair processing notice, which is a type of data protection policy. The tenant must read and sign this notice to acknowledge that they’ve understood its terms. The notice must cover the data protections principles discussed above i.e. why the data is being collected, how it will be used, if it will be shared with third parties from time to time, the legal basis for its collection, and how long it will be stored.

Curious about automated data extraction from documents?

What else must landlords do?

Landlords must register with the Information Commissioner’s Office (ICO)if they intend to collect, process, or store the personal data of tenants on any electrical device such as a phone or computer. The registration costs £35-40 per year, and the fine for non-registration is a civil penalty of up to £4350. This obligation exists even if a landlord contracts a letting agent, as long as they themselves will be handling personal data of the tenants. Landlords also have a duty to report any suspected data breach to the ICO as soon as they become aware of it.  If landlords have a website to advertise their properties, they must get an SSL certificate if any personal data is transferred over it to ensure security when visitors enter their details on the website.

Legislate is a contracting platform where landlords can create tenancy agreements which address relevant data protection and security laws.

You can read how to create your first Legislate agreements in our tutorial and watch a short demo. If you would like to try Legislate, please book an introductory call or sign up.

The opinions on this page are for general information purposes only and do not constitute legal advice on which you should rely.

Create your privacy notice now

Get Started

Keep Reading

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.