Introducing A Practical Guide to Data Protection in Social Housing

On 6th December 2023, our director Clare Paterson proudly launched her first book, the book she wished she had when she worked in-house in data protection at a social housing provider; ‘A Practical Guide to Data Protection in Social Housing.’ Here is the speech Clare gave at the hybrid online and in-person book launch event:

“Thank you for being here, whether in-person or online over Teams, I can’t tell you how much I appreciate it, and how surreal it is. It is a real pinch-me moment to be able to say the words “my book”!

I want to talk a little bit about how this book came to be written, and then tell you some of the key messages from the book….because this is not just a re-print of the GDPR. It is the book I wish I’d had access to when I was working in a social housing provider, in data protection.

It’s the closest thing you’ll get to bottling my approach to data protection, without having to come to one of my sessions or hire me as a consultant. In my clear and practical way of approaching DP.

That’s not to say you shouldn’t still hire me as a consultant and a trainer, please do!

But I hope this book will be a useful, insightful, and thought-provoking reference book when you are faced with “just a quick question”!

I’ll explain briefly how the book came to be written, and then I will welcome questions if you want me to expand on anything. Then I’ll talk about the key messages, and then open up the conversation to everyone.

Before I forget, I am hoping to get some discount codes soon as well, from the publishers, so if you’ve not ordered it yet (or even if you have, and can still cancel it…) you might want to wait and see if I and get those discounts sooner rather than later!

Update – books now available at a discount here on the CP Data Protection website for a short time.

How the book came to be written

For those of you who don’t know my background, I have worked in social housing for almost 20 years now, in various teams. And before that I worked in Quality Management and Health & Safety Management. I’ve carried with me a lot of the skills and knowledge from my QM and H&S days into everything I’ve done since then, and especially in my data protection work. I fell into data protection (as many of us do!) over 10 years ago, and it just clicked with me. I ran with it, setting up my own consultancy in 2017, shortly after I returned to work after my first maternity leave. My husband had given up his job to look after our little boy, so it was scary, but it was also very exciting!

Since then I’ve continued to work with a lot of housing providers, including through my work with Anthony Collins Solicitors. I was part of their data protection team advising clients (and helping out internally when called upon) for around 5 years. That was another series of pinch-me moments, as I had been a client of ACS for several years, and would often call the DP team at the time, to check I was on the right lines (as you know, DP can be a lonely role, and directors like to have your advice confirmed by someone external too!)

Not long after I resigned from my full-time job, I was asked by ACS to join their team, which I did as a consultant, and it was a wonderful place to work. Answering the phone to a former colleague, the same phone and at the same desk, as the ACS colleagues I used to call, was very surreal.

My experience of being on the other side of the phone, though, is what I believe gives me my USP – my ability to empathize and understand fully where my clients are coming from, especially when you are a lone DPO voice.

Several months ago, I was approached by a publishing company, called Law Brief Publishing, asking if I would be interested in writing a niche data protection book. They suggested DP in health care first, I think, because they had seen that I present a training course on that subject for MBL Seminars – a company that specialises in training for legal professionsals.

My first response was “you don’t want me! I’m not a lawyer”. But Tim from Law Brief Publishing went away and read my articles and blog posts, and came back and said “we actually do want you!”

So we had a call and we both suggested I could/should write about DP in Social housing instead, as it is very much my favourite, and my specialist, sector.

And that was that! We signed a contract, and they gave me 6 months to send in a completed manuscript. As their writers are subject matter experts, they don’t do any editing except for grammar and so on. So that was a bit nerve-wracking…

Fortunately, my husband knows me very well and he knew that – left to my own devices – I would leave it to the last minute and have a crazy rush in August! So he sent me off to an Air B&B for two nights, and I locked myself away, and got the bones of the book down.

And much as Jie had predicted, I then did hardly any more writing until the week before the deadline! Partly due to my natural tendencies, but partly due to life being all over the place this summer.

So I had one week to go, but a ton of “normal” work to do too, so for that last week I worked to the early hours every night, and Jie brought me drinks (mainly wine!) and encouraging words. And we got there!

You will see in the book that I’ve dedicated it to Jie, as well as our children Daniel and Beatrice.

The key messages in the book

The Preface from the book:

“I’m passionate about data protection, because at its core it’s about protecting people.

The people I’ve met working in the social housing sector over the last 19 years are passionate about people too. And if we don’t handle information about people with respect, how can we say we’re treating the people themselves with respect?

If we want the people we work with and for to trust us, we must be able to let them know they can trust us with their precious personal data.

Keeping data safe and protected is so much more than storing it on a secure server or locked in a filing cabinet; it’s about being clear why we want the data in the first place (and that reason being for a fair and lawful purpose!), being open and transparent, and only collecting, using, sharing and storing the minimum amount of data we actually need for those (fair and lawful!) purposes.

The very first Article of the GDPR itself explains that:

“This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

Data protection rights are human rights, and I know that the people I work with care about human rights (I don’t tend to work with clients that don’t!)

If your work involves knowing anything whatsoever about your customers, tenants or colleagues, you’re in the data world whether you realise it or not, and should be protecting that data too.

It shouldn’t be a them-and-us situation though; we’re all handling personal data, it’s just some know a bit more about the data protection laws than others. So let’s work together so that everyone handling data knows how to protect that data, and protect people.”

Now, I said the book isn’t just a re-print of the GDPR, and that’s true. It references the law though, and explains how it applies particularly to social housing and the challenges faced in the housing sector.

I just want to highlight three of the messages in the book:

Start With Purpose, Take nothing for granted, and think outside the box.

  1. START. WITH. PURPOSE

The number one thing I bang on about is that DP is misunderstood, and indeed I think the title Data Protection is part of the problem as it (mis)leads us to think that it’s all about keeping data secure from external forces – or protected – once we have gathered it. End of story.

But it’s so much more than that. And it starts with having a valid purpose for collecting the data in the first place; a valid purpose which matches nicely to one or more lawful purpose (or legal basis, processing condition, they are called many things.)

And it’s not just about the purpose we identify at the point of the data collection – but it’s about sticking to that purpose, or identifying another lawful purpose if we want to repurpose the data.

Getting that purpose nailed down, and being able to explain it, and actually carry through with it, has to be the first step. Because without it, anything else we do to that data is unlawful and unfair. And even if it probably won’t lead to the ICO coming after you at the moment, it will lead to complaints, compensation claims, and a breakdown of trust with your customers and colleagues. All of which are costly, in time and money, and prevent housing providers from achieving their core purpose with their limited resources.

  • Take nothing for granted!

This is my golden rule for DP, and it’s a good rule for life too!

In Data Protection I use it to mean keep asking questions, keep digging, and keep challenging.

Coming back to purpose, we shouldn’t just take the purpose given at face value. Ask how will this project actually –in practice – achieve that purpose (and therefore meet the lawful purpose)?

Often in housing, a project that has a seemingly good intentioned purpose will not meet that purpose (and therefore not be lawful) because of the way it is being undertaken; the how doesn’t match the why.

For example, wanting to refer customers to a mental health charity (without transparency let alone consent) because they phoned about repairs more than x times!

Another common problem is when the purpose is great…but the organisation has no resources to actually follow through. EDI has a lot of this. We want to collect information about our customers (and colleagues) – their race/ethnicity, religious beliefs, sexual orientation and their health/disability status. The purpose? To ensure we are providing our services equitably and fairly. But how are you going to do that? If you don’t know, you don’t have a lawful purpose. If you have an idea (hint, it’s on page 131 of the book and involves Identification, Investigation, Ideas, and Implementation), then do you have the resources to follow that action plan? If you don’t or won’t, you don’t have a lawful purpose.

  • Think outside the box

The final key message I want to share is that, to be most effective in the field of data protection, we need to look outside the field, for a couple of reasons. First, we need to understand the context in which data is being processed. Secondly, and perhaps most importantly, we need to know how to improve data handling and privacy in practice.

Many people can read the GDPR and work out what it means. But it takes additional know-how (and the willingness to search out that knowledge) to make suggestions that will help organisations and sectors to achieve their goals in a way that protects people’s data. And when I say “protect people’s data”, you know that I mean “only collect it in the first place if you have a damn good reason to!” As well as all the rest of the data protection principles and rights and rules.

Some of my knowledge in that area comes from my time in QM and H&S – Quality Management is about frameworks that help us to achieve our goals with less wasted time and resources. And Health and Safety is of course about keeping people safe, physically of course, but also mentally and emotionally where appropriate. And there are frameworks already designed in H&S to help us reduce the risk of harm to people.

So we don’t always need to reinvent the wheel – we can go to these other areas and learn and borrow from their frameworks. Looking at things through a QM lens, for example, will help me see several ways to improve service provision that don’t involve collecting or storing personal data. Such as getting maintenance to stick to appointments because it’s good customer service, not because they know that a tenant has autistic children (I know, I know, easier said than done…)

And a lot of my knowledge about areas outside of DP come from working with, and learning from, experts in other areas.

EDI (Equality/Equity, Diversity & Inclusion) is a real passion of mine, and so I’ve worked with EDI experts, most notably Kat Paylor-Bent who was at Buckingham Palace last week watching another disability campaigner, Isaac Harvey, receive his MBE from King Charles in an outfit she had made for him (Isaac, not the King!)

There is a wealth of information from other people with lived experience too, that we can and should tap into, and I have met so many people through their content on LinkedIn, covering EDI from the point of view of ethnicity, gender & transgender, socio-economic status, sexual orientation, age, neurodiversity and physical and mental disability.

In the book I’ve used menopause as a real example – as it is very close to my heart for obvious reasons! – of the way “EDI Policies” are often just a data collection exercise, and can cause more harm than good. And I give examples of ways you can support (menopausal – in this case) colleagues without collecting their data, or at least collecting a lot less data.

The other part of DP work where thinking outside the box is valuable is in trying to work out what risks there are in the first place.

It’s near impossible to recommend and agree “appropriate” risk controls if you don’t even see the risks, or you can’t explain the risks to your colleagues. Because as I said earlier, “it’s against the law, and the ICO will get you!” isn’t likely to cut it, not at the moment anyway.

I recommend using thought experiments to identify risks in your current and planned data processing. Put yourself in the shoes of people who have different characteristics to you and have had different life experiences from you. And ask yourself, how do I feel about this now?

I want to leave you with an example I’ve been using in training and speaking sessions recently, about EDI surveys. I wrote this for the Housemark conference a couple of weeks ago and have used it in training since then, as I had really positive feedback.

So we are planning to ask our customers their race, religion, sexuality and disability.

Consider how different people might feel. For example:

Grace from Ghana, Christian, heterosexual, with epilepsy… which means she is shunned in Ghana as epilepsy is often thought to mean you are possessed by a demon.

Conclusion

I don’t want to end on a low note, so to round up, we talked about purpose, taking nothing for granted and thinking outside the box, and I will leave you with this – the final piece of advice at the end of the book.

DPOs and DP professionals do an amazing job, but it can be lonely, and it’s not easy either. Lean on the wonderful community that we have. I’m so proud of the Hive and I’m meeting more people in housing and DP (and both) all the time. And despite coming from a wide variety of backgrounds, the one thing we tend to have in common, is we care about people. And I promise you, we make a difference to people’s lives, so keep doing what you’re doing!”

Leave a Reply

Your email address will not be published. Required fields are marked *