Tenants' personal information
Contents
When you take on a new tenant, you'll inevitably collect, store and use their personal information (data). For example, you will use their contact details to communicate with them while drafting the tenancy agreement and may have already shared them to obtain financial and other references, such as from a bank or previous landlord.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how landlords should handle personal information about their tenants. In particular, how they collect, use, process and store it, and the rights tenants have about its use. These rights are enforced in the UK by the Information Commissioner's Office (ICO).
Background
The General Data Protection Regulation (GDPR) became law in the EU and UK on 25 May 2018. The Data Protection Act 2018, introduced at the same time as the GDPR, covered areas not dealt with by the GDPR.
From 1 January 2021 (when the UK no longer had to comply with EU law), the UK created the UK GDPR – this is broadly the same as the previous GDPR, with some amendments. This means personal data being processed in the UK must now comply with the UK GDPR and the Data Protection Act 2018.
The version of the GDPR that continues to apply within the EU is now known in the UK as the EU GDPR.
Personal information and processing
Personal information is information that can identify your tenant, such as their name, address, date of birth, email address, passport number that is stored electronically on a computer, or in organised paper-based filing systems.
Processing the information is generally anything that you do to it and includes:
- Obtaining, recording or storing it
- Carrying out tasks on it, including using, reading, sharing, retrieving, accessing, organising, amending or erasing the information
Only the data required for the tenancy relationship should be acquired, stored securely and regularly reviewed to ensure it remains necessary, accurate and up to date.
The lawful grounds to process personal information
You must process the tenant's personal information only in the lawful manner set out in the UK GDPR. In the past you may have simply had a clause in the tenancy agreement where the tenant signs confirming they consent to their data being processed by you. This may now be unlawful. Although the UK GDPR does have getting consent as one of the ways you can lawfully process data, it's not recommended to rely on this ground in a landlord-tenant situation. This is because there may be an imbalance of power with the landlord having a position of power over a tenant. Additionally, as the tenant could withdraw their consent at any time, it wouldn't be in your interest to rely on consent anyway.
You will most likely be able to use the following (alternative) lawful ways to process a tenant's personal information:
Performance of a contract
Processing personal information will be required as you will have a tenancy agreement or licence with the tenant, and you both need to fulfil your obligations under it. This will include where it is necessary to take specific steps before entering into it.
Examples of personal information that you will rely on for this ground include:
- Their home address and personal contact details, for communications
- Their bank details to get credit references
- Details of their previous landlord, for reference purposes
This ground is likely to cover many of your data processing needs while managing a tenancy.
Legal obligation
This is where you are required to use a tenant's information to comply with a legal requirement, such as from legislation, a regulatory requirement where it's supported by a statute, a court order or court decisions (case law), but not contractual obligations.
Examples of using this include complying with right to rent and data protection obligations and gas safety laws.
Legitimate interests
This can be relied on if the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the tenant's personal data which overrides your legitimate interests. To comply with the UK GDPR accountability and transparency requirements, you should:
- Perform a 'legitimate interest assessment' for each interest being relied upon.
- Mention the legitimate interests you are relying on, and your reasons for using them, in the privacy notice provided to the tenant.
Examples of how you may rely on this ground and reasons for doing so include:
- Obtaining required references or credit checks – to ensure you have tenants who pay the rent and take proper care of your property without causing a nuisance to neighbours
- Reading references provided to you by a letting/managing agent – for the same reason mentioned above
- Disclosing information to a debt collector or insurance company where a tenant has left leaving rent arrears – to enforce a breach of the agreement
- Providing a tenant's forwarding address where debts are owed to third parties, such as their former utility company or your local council - to prevent fraud and so that they can enforce the debt
- Providing a tenant's contact details to service providers who need access to your property – in order to effect repairs to the property (which may also be a legal obligation) or to comply with your contractual obligations to a superior landlord
- Notifying joint tenants of any rent arrears owed by another tenant - to recover unpaid rent
- Informing a guarantor where a tenant has failed to pay rent - to recover unpaid rent and enforce a breach of the agreement
See the Information Commissioner's Office (ICO) guide on legitimate interests and how to perform a legitimate interest assessment. You can also find a template for use when performing an assessment on their website.
Vital interest
You can only use this if it is essential to protect the life of the tenant or another person. This will be used in very rare circumstances.
Consent
Consent is harder to obtain under the new laws and can be withdrawn at any time, so may be of limited use. However, where none of the above legal grounds can be used, you can seek the tenant's consent if you need to use their information for a specific purpose.
To obtain consent it must be:
- Freely given - this means giving people genuine ongoing choice and control over how you use their data
- Obvious - requiring a positive action to opt-in, meaning it must be prominent and in a separate document from other terms and conditions, e.g. the tenancy agreement
- Specific and informed – this means it must state what it is for and why you need it
- Unambiguous – this means it must be concise, easy to understand, and user-friendly
Points to remember
- You must be able to prove that:
- Processing is 'necessary' for the stated purpose, i.e. you could not achieve the same result using a different (less intrusive) way.
- The stated lawful basis applies to the processing. Legal obligation, performance of a contract and protecting someone's vital interests relate to a particular specified purpose. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.
- You must consider which lawful basis best fits your purposes for processing personal information before starting to process it.
- You must document your reasons for selecting the lawful basis.