Law guide: Property

See how we helped Michael

"Fantastic! The legal document I used was so comprehensive and easy to complete. It is very reassuring to know my business now has this level of protection"

Michael S, London

Tenants' personal information

Tenants' personal information

Contents

When you take on a new tenant, you'll inevitably collect, store and use their personal information (data). For example, you will use their contact details to communicate with them while drafting the tenancy agreement and may have already shared them to obtain financial and other references, such as from a bank or previous landlord.

The Data Protection Act 2018 and the EU General Data Protection Regulation changes the law on how landlords should handle (process) personal information about their tenants.

Personal information and processing

Personal information is information that can identify your tenant, such as their name, address, date of birth, email address, passport number that is stored electronically on a computer, or in organised paper-based filing systems.

Processing the information is generally anything that you do to it and includes:

  • Obtaining, recording or storing it
  • Carrying out tasks on it, including using, reading, sharing, retrieving, accessing, organising, amending or erasing the information

Only the data required for the tenancy relationship should be acquired, stored securely and regularly reviewed to ensure it remains necessary, accurate and up to date.

The lawful grounds to process personal information

You must process the tenant's personal information only in the lawful manner set out in the GDPR. In the past you may have simply had a clause in the tenancy agreement where the tenant signs confirming they consent to their data being processed by you. This may now be unlawful. Although the GDPR does have getting consent as one of the ways you can lawfully process data, it's not recommended to rely on this ground in a landlord-tenant situation. This is because there may be an imbalance of power with the landlord having a position of power over a tenant. Additionally, as the tenant could withdraw their consent at any time, it wouldn't be in your interest to rely on consent anyway.

You will most likely be able to use the following (alternative) lawful ways to process a tenant's personal information:

Performance of a contract

Processing personal information will be required as you will have a tenancy agreement or licence with the tenant, and you both need to fulfil your obligations under it. This will include where it is necessary to take specific steps before entering into it.

Examples of personal information that you will rely on for this ground include:

  • Their home address and personal contact details, for communications
  • Their bank details to get credit references
  • Details of their previous landlord, for reference purposes

This ground is likely to cover many of your data processing needs while managing a tenancy.

Legal obligation

This is where you are required to use a tenant's information to comply with a legal requirement, such as from legislation, a regulatory requirement where it's supported by a statute, a court order or court decisions (case law), but not contractual obligations.

Examples of using this include complying with right to rent and data protection obligations and gas safety laws.

Legitimate interests

This can be relied on if the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the tenant's personal data which overrides your legitimate interests.

To comply with the GDPR accountability and transparency requirements, you should perform a 'legitimate interest assessment' for each interest being relied upon and mention the legitimate interests you are relying on and your reasons for using them, in the privacy notice provided to the tenant.

Examples of how you may rely on this ground and reasons for doing so include:

  • Obtaining required references or credit checks – as you need to ensure you will have tenants who pay the rent and take proper care of your property without causing a nuisance to neighbours
  • Reading references provided to you by a letting/managing agent – for the same reason mentioned above
  • Disclosing information to a debt collector or insurance company where a tenant has left leaving rent arrears – to enforce a breach of the agreement
  • Providing a tenant's forwarding address where debts are owed to third parties such as their former utility company or your local council - to prevent fraud and so that they can enforce the debt
  • Providing a tenant's contact details to service providers who need access to your property – in order to effect repairs to the property (which may also be a legal obligation) or to comply with your contractual obligations to a superior landlord
  • Notifying joint tenants of any rent arrears owed by another tenant - to recover unpaid rent
  • Informing a guarantor where a tenant has failed to pay rent - to recover unpaid rent and enforce a breach of the agreement.

See the Information Commissioner's Office (ICO) guide on legitimate interests and how to perform a legitimate interest assessment. You can also find a template for use when performing an assessment on their website.

Vital interest

You can only use this if it is essential to protect the life of the tenant or another person. This will be used in very rare circumstances.

Consent

Consent is harder to obtain under the new laws and can be withdrawn at any time, so may be of limited use. However, where none of the above legal grounds can be used, you can seek the tenant's consent if you need to use their information for a specific purpose.

To obtain consent it must be:

  • Freely given - this means giving people genuine ongoing choice and control over how you use their data
  • Obvious - requiring a positive action to opt-in, meaning it must be prominent and in a separate document from other terms and conditions, e.g. the tenancy agreement
  • Specific and informed – this means it must state what it is for and why you need it
  • Unambiguous – this means it must be concise, easy to understand, and user-friendly

Points to remember

  • You must be able to prove that:
    • Processing is 'necessary' for the stated purpose, i.e. you could not achieve the same result using a different (less intrusive) way.
    • The stated lawful basis applies to the processing. Legal obligation, performance of a contract and protecting someone's vital interests relate to a particular specified purpose. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.
  • You must consider which lawful basis best fits your purposes for processing personal information before starting to process it.
  • You must document your reasons for selecting the lawful basis.