When you take on a new tenant, you'll inevitably collect, store and use their personal information (data). For example, you will use their contact details to communicate with them while drafting the tenancy agreement and may have already shared them to obtain financial and other references, such as from a bank or previous landlord.
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how landlords should handle personal information about their tenants. In particular, how they collect, use, process and store it, and the rights tenants have about its use. These rights are enforced in the UK by the Information Commissioner's Office (ICO).
The General Data Protection Regulation (GDPR) became law in the EU and UK on 25 May 2018. The Data Protection Act 2018, introduced at the same time as the GDPR, covered areas not dealt with by the GDPR.
From 1 January 2021 (when the UK no longer had to comply with EU law), the UK created the UK GDPR – this is broadly the same as the previous GDPR, with some amendments. This means personal data being processed in the UK must now comply with the UK GDPR and the Data Protection Act 2018.
The version of the GDPR that continues to apply within the EU is now known in the UK as the EU GDPR.
Personal information is information that can identify your tenant, such as their name, address, date of birth, email address, passport number that is stored electronically on a computer, or in organised paper-based filing systems.
Processing the information is generally anything that you do to it and includes:
Only the data required for the tenancy relationship should be acquired, stored securely and regularly reviewed to ensure it remains necessary, accurate and up to date.
You must process the tenant's personal information only in the lawful manner set out in the UK GDPR. In the past you may have simply had a clause in the tenancy agreement where the tenant signs confirming they consent to their data being processed by you. This may now be unlawful. Although the UK GDPR does have getting consent as one of the ways you can lawfully process data, it's not recommended to rely on this ground in a landlord-tenant situation. This is because there may be an imbalance of power with the landlord having a position of power over a tenant. Additionally, as the tenant could withdraw their consent at any time, it wouldn't be in your interest to rely on consent anyway.
You will most likely be able to use the following (alternative) lawful ways to process a tenant's personal information:
Performance of a contract
Processing personal information will be required as you will have a tenancy agreement or licence with the tenant, and you both need to fulfil your obligations under it. This will include where it is necessary to take specific steps before entering into it.
Examples of personal information that you will rely on for this ground include:
This ground is likely to cover many of your data processing needs while managing a tenancy.
Legal obligation
This is where you are required to use a tenant's information to comply with a legal requirement, such as from legislation, a regulatory requirement where it's supported by a statute, a court order or court decisions (case law), but not contractual obligations.
Examples of using this include complying with right to rent and data protection obligations and gas safety laws.
Legitimate interests
This can be relied on if the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the tenant's personal data which overrides your legitimate interests. To comply with the UK GDPR accountability and transparency requirements, you should:
Examples of how you may rely on this ground and reasons for doing so include:
See the Information Commissioner's Office (ICO) guide on legitimate interests and how to perform a legitimate interest assessment. You can also find a template for use when performing an assessment on their website.
Vital interest
You can only use this if it is essential to protect the life of the tenant or another person. This will be used in very rare circumstances.
Consent
Consent is harder to obtain under the new laws and can be withdrawn at any time, so may be of limited use. However, where none of the above legal grounds can be used, you can seek the tenant's consent if you need to use their information for a specific purpose.
To obtain consent it must be:
Points to remember