Cyber security is an issue of increasing importance in the housing sector and last year it overtook health and safety as the primary strategic concern flagged by housing organisations, as identified in Inside Housing's Risk Register Survey 2024. Fundamental to cyber security is effective data management and failures to achieve this by housing organisations have contributed to some of the more recent failings in the housing sector.
The regulators also have an increased focus on data management and security within the sector. The Information Commissioner's Office (ICO) has published guidance on the lawful use of residents' personal data whilst the Department for Levelling Up, Housing and Communities (DLUHC) and the Regulator of Social Housing (RSH) have launched consultations focussing on the rights of residents and the provision of tailored and appropriate housing and services to residents. By doing so, there is a demand for a greater understanding of residents and their needs, achieved through the processing and sharing of residents' data.
So, how can the sector ensure that it protects residents and their data in the provision of housing and services?
The ICO's guidance – using data protection law to safeguard residents
With its increased focus on data management in the sector, the ICO has published guidance to remind housing organisations of their obligations under data protection law and highlighting the importance of safeguarding residents and their data. In its guidance, the ICO warns that a failure to understand and adhere to data protection law can put residents at risk of physical and mental harm. An increasing number of residents are complaining to the ICO about the poor data practises of their housing organisation, including the compromise of personal data and a failure to carry out necessary services.
The ICO has identified the following common issues and concerns in the housing sector:
- Inappropriate disclosures of personal data, which must only be disclosed when it is necessary and appropriate. When deciding whether to make a disclosure, housing organisations must consider whether there is a lawful basis for sharing the personal data.
- A lack of understanding of data protection law to the detriment of tenants who need housing support. The lack of understanding involves not only the improper disclosure of personal data but also the refusal of residents' requests and a failure to provide them with the services and support on the incorrect assumption that to do so would breach data protection law.
- A failure to keep accurate records of residents' data which causes issues for both housing organisations (including the payment of compensation to residents and loss of residents' trust and confidence) and residents (who do not receive the appropriate level of service).
To ensure the proper and lawful processing and sharing of residents' personal data, housing organisations should (i) prioritise staff training on an ongoing basis (ii) practice good records management and (iii) be open and honest with residents and inform them of how their personal data is collected and used.
The Regulators' requirements for data governance
The need for good data governance in the sector doesn’t stop with the ICO. DLUHC has launched a consultation which focusses on housing organisations providing residents with key information relating to their rights, the provision of accommodation, services and facilities, the relevant regulatory requirements and how they can complain.
Alongside this, the RSH has issued four draft Consumer Standards setting out the outcomes which all registered providers will be expected to achieve. They are (i) The Safety and Quality Standard, (ii) The Transparency, Influence and Accountability Standard, (iii) The Neighbourhood and Community Standard and (iv) The Tenancy Standard. The objectives of the Consumer Standards are to ensure that residents can be involved with the management of social housing and to support well-managed, safe and appropriate quality social housing.
Whilst, on the one hand, the ICO is focussed on the proper and lawful processing of personal data, DLUHC and the RSH are focussed on housing organisations knowing their residents and understanding their needs; to achieve this personal data is essential. Whilst there appears to be an immediate tension between the two approaches, it is clear that increasing data quality and data management is high on the regulators' agendas. Housing organisations will need to take stock and navigate how to collect and use residents' personal data to provide services and keep residents safe, and adhere to the new Consumer Standards, all whilst complying with data protection law. Data protection law should not be a barrier to sensible, careful and lawful data processing.
CyberSecure 360 – how housing organisations can strengthen their cyber and data defences
Recent years have seen a number of cyberattacks on housing organisations which have debilitated their operations and had a significant impact on the services available to residents. Consequently, those housing organisations affected have been implementing measures to strengthen their cyber and data defences. It is no surprise that cyber resilience has been identified as the primary strategic concern for the sector.
Cyber risk management must go hand in hand with good data governance and taking a pre-emptive look at your organisation's cyber risks now will leave you better placed to deal with the fallout from a cyber-attack. CyberSecure 360 is our service designed to provide your organisation with expert guidance and comprehensive services, aimed at strengthening your business against ever-evolving cyber risk. Whether you are looking to test your cyber-readiness, or seeking assistance with mitigating the impact of a breach, our unique cyber risk management services will help you embark on your cyber journey with confidence.
If you would like to discuss how to implement robust cyber defences, please contact us at cyber360@trowers.com.
