Law guide: Landlords

See how we helped Liz

"It's not just a website... there are people there on call who can help answer your queries."

Liz W, London

Tenants' personal information

Tenants' personal information

When you take on a new tenant, you'll inevitably collect, store and use their personal information (data). For example, you will use their contact details to communicate with them while drafting the tenancy agreement and may have already shared them to obtain financial and other references, such as from a bank or previous landlord.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how landlords should handle personal information about their tenants. In particular, how they collect, use, process and store it, and the rights tenants have about its use. These rights are enforced in the UK by the Information Commissioner's Office (ICO).

Background

The General Data Protection Regulation (GDPR) became law in the EU and UK on 25 May 2018. The Data Protection Act 2018, introduced at the same time as the GDPR, covered areas not dealt with by the GDPR.

From 1 January 2021 (when the UK no longer had to comply with EU law), the UK created the UK GDPR – this is broadly the same as the previous GDPR, with some amendments. This means personal data being processed in the UK must now comply with the UK GDPR and the Data Protection Act 2018.

The version of the GDPR that continues to apply within the EU is now known in the UK as the EU GDPR.

Personal information and processing

Personal information is information that can identify your tenant, such as their name, address, date of birth, email address, passport number that is stored electronically on a computer, or in organised paper-based filing systems.

Processing the information is generally anything that you do to it and includes:

  • Obtaining, recording or storing it
  • Carrying out tasks on it, including using, reading, sharing, retrieving, accessing, organising, amending or erasing the information

Only the data required for the tenancy relationship should be acquired, stored securely and regularly reviewed to ensure it remains necessary, accurate and up to date.

The lawful grounds to process personal information

You must process the tenant's personal information only in the lawful manner set out in the UK GDPR. In the past you may have simply had a clause in the tenancy agreement where the tenant signs confirming they consent to their data being processed by you. This may now be unlawful. Although the UK GDPR does have getting consent as one of the ways you can lawfully process data, it's not recommended to rely on this ground in a landlord-tenant situation. This is because there may be an imbalance of power with the landlord having a position of power over a tenant. Additionally, as the tenant could withdraw their consent at any time, it wouldn't be in your interest to rely on consent anyway.

You will most likely be able to use the following (alternative) lawful ways to process a tenant's personal information:

Performance of a contract

Processing personal information will be required as you will have a tenancy agreement or licence with the tenant, and you both need to fulfil your obligations under it. This will include where it is necessary to take specific steps before entering into it.

Examples of personal information that you will rely on for this ground include:

  • Their home address and personal contact details, for communications
  • Their bank details to get credit references
  • Details of their previous landlord, for reference purposes

This ground is likely to cover many of your data processing needs while managing a tenancy.

Legal obligation

This is where you are required to use a tenant's information to comply with a legal requirement, such as from legislation, a regulatory requirement where it's supported by a statute, a court order or court decisions (case law), but not contractual obligations.

Examples of using this include complying with right to rent and data protection obligations and gas safety laws.

Legitimate interests

This can be relied on if the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the tenant's personal data which overrides your legitimate interests. To comply with the UK GDPR accountability and transparency requirements, you should:

  • Perform a 'legitimate interest assessment' for each interest being relied upon.
  • Mention the legitimate interests you are relying on, and your reasons for using them, in the privacy notice provided to the tenant.

Examples of how you may rely on this ground and reasons for doing so include:

  • Obtaining required references or credit checks – to ensure you have tenants who pay the rent and take proper care of your property without causing a nuisance to neighbours
  • Reading references provided to you by a letting/managing agent – for the same reason mentioned above
  • Disclosing information to a debt collector or insurance company where a tenant has left leaving rent arrears – to enforce a breach of the agreement
  • Providing a tenant's forwarding address where debts are owed to third parties, such as their former utility company or your local council - to prevent fraud and so that they can enforce the debt
  • Providing a tenant's contact details to service providers who need access to your property – in order to effect repairs to the property (which may also be a legal obligation) or to comply with your contractual obligations to a superior landlord
  • Notifying joint tenants of any rent arrears owed by another tenant - to recover unpaid rent
  • Informing a guarantor where a tenant has failed to pay rent - to recover unpaid rent and enforce a breach of the agreement

See the Information Commissioner's Office (ICO) guide on legitimate interests and how to perform a legitimate interest assessment. You can also find a template for use when performing an assessment on their website.

Vital interest

You can only use this if it is essential to protect the life of the tenant or another person. This will be used in very rare circumstances.

Consent

Consent is harder to obtain under the new laws and can be withdrawn at any time, so may be of limited use. However, where none of the above legal grounds can be used, you can seek the tenant's consent if you need to use their information for a specific purpose.

To obtain consent it must be:

  • Freely given - this means giving people genuine ongoing choice and control over how you use their data
  • Obvious - requiring a positive action to opt-in, meaning it must be prominent and in a separate document from other terms and conditions, e.g. the tenancy agreement
  • Specific and informed – this means it must state what it is for and why you need it
  • Unambiguous – this means it must be concise, easy to understand, and user-friendly

Points to remember

  • You must be able to prove that:
    • Processing is 'necessary' for the stated purpose, i.e. you could not achieve the same result using a different (less intrusive) way.
    • The stated lawful basis applies to the processing. Legal obligation, performance of a contract and protecting someone's vital interests relate to a particular specified purpose. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.
  • You must consider which lawful basis best fits your purposes for processing personal information before starting to process it.
  • You must document your reasons for selecting the lawful basis.

Copyright © 2024 Epoq Group Ltd. All trademarks acknowledged, all rights reserved

This website is operated by Epoq Legal Ltd, registered in England and Wales, company number 3707955, whose registered office is at 2 Imperial Place, Maxwell Road, Borehamwood, Hertfordshire, WD6 1JN. Epoq Legal Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA number 645296).

Our use of cookies

We use necessary cookies to make our site work. We would also like to set some optional cookies. We won't set these optional cookies unless you enable them. Please choose whether this site may use optional cookies by selecting 'On' or 'Off' for each category below. Using this tool will set a cookie on your device to remember your preferences.

For more detailed information about the cookies we use, see our Cookie notice.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Functionality cookies

We'd like to set cookies to provide you with a better customer experience. For more information on these cookies, please see our cookie notice.