Customer insight in the social housing sector is a key aim amongst many housing associations; we want to better understand our customers and better serve them. However, in a recent discussion about repurposing and combining data in the social housing sector to obtain customer insight, I had to point out that if you simply repurpose or combine your data, you could very easily be breaking the law. I was asked “If we’ve already got the data lawfully, how could it be unlawful for us to use it in another way?” The problem with this is, there’s no such thing as ‘GDPR compliant data’ when it’s data linked to your customers, colleagues, or anyone else. The key to explaining how it could be unlawful to repurpose your data is the fact that data protection compliance is purpose dependent.
It’s often thought that ‘Data Protection’ focusses on security. After all, the word ‘Protection’ implies that it’s all about keeping data, just that – protected. So there’s, understandably, a widespread misconception that if data is kept secure, the data and/or the organisation is ‘GDPR-compliant.’ There’s much more to it than that, though.
How can repurposing data be unlawful?
One of the key parts of the (UK)GDPR is the principles, which are the six golden rules for handling personal data; the principles are overwhelmingly focused on the purpose for which the data is used.
Of the 6 Principles on handling personal data, 5 of them relate to the PURPOSE for which the data is being held, and only 1 out of 6 relate to SECURITY.
In the text of the principles section of the (UK)GDPR, the word ‘Purpose’ or ‘Purposes’ is used 12 times, while the word ‘Security’ is only used once.
Let’s consider an example: Imagine you have data set A, which you collected for reason A, but you realise it could also be useful for reason B. This could be customer dates of birth, that you collected in their application process, which could also be used to segment your customers and identify who might be interested in retirement living.
How to repurpose data safely & lawfully
Because lawfulness is based on how and why you collected and are using a certain data set, as laid down in the 6 Principles, we need to consider those rules, if we want to use data A for reason B.
To make things even more complex, the first Principle alone has 3 parts to it. To repurpose the dates of birth lawfully, and safely, we would need to apply several of the requirements from the 6 principles:
- Identify a lawful reason for the customer segmentation – from the list in the (UK)GDPR,
- Ensure it’s a fair way of using the data,
- Be transparent about it to your customers,
- Only use the dates of birth if you know they’re accurate,
- Decide how long you will keep the data,
- And, last but not least, keep the data secure!
Data Protection law is misunderstood
The 6 principles are paraphrased below. Interestingly, points 3, 4 & 5 – relevance, accuracy & timebound – are often thought of as ‘Data Quality’ or ‘Data Ethics’ issues, but many people don’t realise that they’re also legal requirements of Data Protection law.
[Side note: data protection law is based on upholding human rights, it’s so much more than bureaucratic rules.]
And point 6 – Security – is what we often think of as the main thing involved in data protection, but as we now know, it’s only a part of it.
Once we’ve considered the principles, we still need to revisit the other key requirements of the (UK)GDPR (which again, are there to protect human rights, not to be red-tape, I promise!)
All other key requirements of the (UK)GDPR
We also need to consider if the customer segmentation work will involve storing the D.O.B. data somewhere new, or in a different way, or sharing it with a new supplier (‘Data Processor’), and if the answer is ‘yes’ to any of those questions, consider:
- Is the data being stored outside of the UK?
- Do we have the appropriate clauses in the contract with that supplier, to protect ourselves?
- Have we done due diligence on the supplier, including reviewing their security standards?
- Will this new use of data impact on how customers can exercise their Data Rights (e.g. the right to access their own data through Subject Access Requests)?
- And, will this new use of data impact on how we react to data breaches?
This article isn’t intended to be a How-to on data repurposing (although it is a good starting point for that!) Instead, it’s intended to illuminate just how important PURPOSE is when it comes to the data we already hold.
Where do we go from here?
Make no mistake, repurposing data can be hugely valuable, and help you gain insight into your customers and colleagues.
But there are several steps to take if you want to do it lawfully, safely and with due respect for your customers’ rights. Which housing providers place a high value on. After all, the PURPOSE of social housing is to build and develop safe homes and communities. And part of that is protecting customers by protecting their data.
To align your data-handling practices more easily with your purpose, consider our Purpose & Data Alignment Programme, developed for housing associations who want to make sure the data you are entrusted with is accurate, safe, and used to enhance the experience of the people you serve and work with, and not misused or abused.
If you’re not ready for the whole 6-part programme yet, why not start with the upcoming Purpose Paradox workshop on 7th September 2022? At just £20+VAT per head, it’s the perfect starting point for anyone whose work involves customer data, colleague data, or data about anyone else. The learning points are particularly useful for Project Managers and Data Protection Teams, so even if your organisation’s budget is tight, this is a worthwhile personal investment in your own career.
Extra reading: The paraphrased (UK)GDPR Principles for handling personal data
1a. The data use should be for a lawful reason; meaning it’s one of the reasons – or legal bases – which are listed in Article 6 of the (UK)GDPR, and they all need the use to be necessary to do a certain thing, apart from if you get consent, which can be withdrawn.)
1b. The data use should be fair too, which is obviously subjective, so a tricky one to assess.
1c. The data use should be transparent, and you should be informing people how you’re using their data.
- The data should only be used for the purposes for which it was collected in the first place, unless you go back and redo points 1a -c.
- Data should be relevant and limited to what is necessary (that word again!) for the purpose for which you have the data. Which means no excessive data, or “just in case” data.
- Data should be accurate and up-to-date.
- Data shouldn’t be kept forever, but only for as long as is necessary (and again!) for the purposes for which you have the data.
- Data should be kept secure.