Personal data: ignore at your peril

David Smith explains why developers and landlords need to be aware of their responsibilities when gathering and storing residents’ personal information – for a start, by being aware that they are doing it. Increasing investment is being poured into build-to-rent property developments, making it one of the fastest-growing areas in the private rented sector. Those developments are also responding to customer demand by offering an increasingly wide range of additional services in an effort to attract young professionals. However, a lot of these additional services and offerings involve a wider collection of data. Offering Wi-Fi across a building means that data is being collected about how users, or at least their mobile phones, move around the space. Digital keys mean that there is tracking about who is using the gym, cinema, meeting spaces or other facilities, how long they are using those facilities for and what time of day they are doing so.  Adding CCTV in response to security concerns means that individual movements and encounters can be tracked with a high level of detail, and the growth in facial recognition technology means that this can be done automatically. The Institute of Residential Property Management warned of the risks of new technologies in relation to data privacy in 2020, and those risks have only increased in the past three years. The risks It is not that developers are collecting this data with the intention of using it that is the concern. The actual issue is that often this data is collected without anyone being aware that it is being collected. As a result, log files showing who connected to which Wi-Fi access point or went through which door are left unmanaged and unsecured. This leaves such data vulnerable to misuse by unscrupulous employees or contractors, or to access and abuse by hackers.  The disturbing case of CCTV monitoring staff who accessed and took pictures of the dead body of footballer Emiliano Sala demonstrates how easily abuse of data can occur. The greater the scope of data being collected, the easier it is to link that data together to find out sensitive information about individuals.  For example, imagine a computer hacker accessing a tenancy agreement to look for joint tenants with the same surname and then referencing their phone and card access records to establish if one of them had been in another person’s apartment. Done on a wide scale that creates the possibility of several blackmail targets. The regulations All collection of personal data in the UK from data subjects (individuals who can be identified by personal data) is subject to controls under the UK version of the EU General Data Protection Regulation. This means that the data collection must be: necessary; for a clearly defined purpose; meet one or more of the six processing bases set out in the GDPR; limited in scope to the data that is required for the defined purpose; transparent; and secured so that only those persons who need to access the collected data can do so. Those six processing bases are: Contract Processing to enter into a contract or perform the terms of a contract with a data subject; Legitimate interests Processing that is intended to protect the reasonable interests of the processor or someone else; Legal obligation Processing that is required by law; Consent Processing that the data subject has expressly agreed to; Vital interests Processing intended to protect a person’s life; and Public task Processing by a government body to comply with a required duty. In practice, only the first four matter for developers, and most processing will actually be carried out on the first two. Often, organisations assume they can rely on consent, but in practice this is difficult as consent has to be given expressly and specifically for a piece of data processing and is not transferable to other processing, and consent can be withdrawn at any time. Personal data is more than someone’s name or address. It is any data that identifies them. Collecting mobile telephone IP addresses or tracking the movement of key cards issued to specific individuals are both classed as the processing of personal data. Individuals must be provided with a privacy notice setting out what is being collected, why that is being done and what is being done with the data. There must also be a process to delete that data within a reasonable time period. If any third-party organisation is seeing the data then that will need to be set out in the privacy notice and a contract will have to be entered into with them to ensure that they are complying with the GDPR as well. Lastly, there are strict controls on exporting this data outside the UK, with only a limited list of countries being permissible. The response From the point of view of a build-to-rent developer, the first thing to consider is what data is actually being collected. This can be quite a complex question as that will vary depending on the specific range of technology products being used. Not knowing what data is being collected will make it impossible to comply with the requirement to provide a privacy notice to data subjects.  The second requirement is to establish why that data is being collected, why that collection is necessary and which of the processing bases apply to it.  The third point to consider is whether that data should be retained, for how long and what security measures should be applied to it. If data is being dealt with in the cloud or accessed by a third-party company then this also needs to be considered and, if necessary, the proper contracts entered into if there is an international data transfer. Developers increasingly find themselves controlling more and more personal data. Properly managed this is not a concern. However, the danger is that this collection is unmanaged and – even worse – entirely unrecognised. David Smith is head of property litigation at JMW Solicitors Photo © Scott Webb/Pexels