Published in the month of Halloween, does the 2021 Sector Risk Profile from the Regulator of Social Housing contain any scary surprises? To be fair, as it’s about risks, it’s all pretty scary. But what does it say about data protection risks?
One welcome surprise, from my point of view, is that Data Security and Data Integrity has been split into two separate risks now; perhaps an indication of the importance ascribed to data-related risks by the Regulator?
Another nice addition since the 2020 Risk Profile is the sentence:
Providers gather many types of data in the course of their activities and have a duty of care to tenants and staff to protect this data against a backdrop of increasing data security risks.
It’s great to see the Regulator recognising the link between your data and your duty of care. Where I think the Risk Profile hasn’t gone far enough though, is in failing to include the risks to your tenants, staff and the organisation if some of the other data protection principles are breached; security is only one of seven principles laid down in data protection law. People can be harmed – and compensation can be claimed – in the case of many different breaches of the data laws, not just security breaches.
Having said that, the quickest route to data-related problems is probably a security failing. So any housing association without “data breach” on their organisation’s risk register has a lot of catching up to do.
If data breach is already on your risk register, I’d urge you to regularly review what controls you have in place, and whether they are as effective as they could/should be. Bear in mind that the causes of a data breach are complex and varied; as well as external threats, consider internal errors and sabotage too. Consider their potential root causes and how to protect against them.
The Profile explains that Boards have to make trade-offs because of competing demands for resources. Unfortunately, all too often I see data protection being traded off and not invested in. Data protection compliance is often seen as an added extra in housing, not a key objective.
But the fact is, almost EVERYTHING that a housing provider does involves personal data; from collecting, through using, sharing and storing, to deleting information that relates to people, all of these activities mean you are processing personal data. And your duty of care means that protecting the data needs, and deserves, to be invested in.
In our Purpose & Data Alignment Programme, we provide you with the tools, templates and training you need to build a robust data governance framework, including risk management for all risks related to personal data. The framework is adaptable, and can be applied to any type of data too.
The Regulator is clear that good quality data is a crucial foundation on which to build assurance, and service delivery. The word data is included in the Risk Profile 32 times over 27 pages. And many of the risks relate to data without it being made explicit, for example the Fraud risk.
For a free checklist to help you assess your data protection compliance and governance, subscribe below (you can unsubscribe at any time.)
If you have any questions about our Purpose & Data Alignment Programme, training, or any other way we can help you to improve your compliance and build trust, please email firstname.lastname@example.org or book a free call below.
Some other posts you may find useful:
If you have any questions about data protection, either about governance frameworks or anything else related to personal data, book a free call!
Author: Clare Paterson, CP Data Protection director
Clare draws on over 20 years of experience in risk management and quality assurance, including ten years in data protection, to provide clear and practical advice and training.
Don’t tell everyone (shh!) but Clare’s favourite sector is social housing, having worked in a large housing association for 12 years, although she loves to support all values-led organisations.