New Data Requirements
FOUR THINGS HOUSING ASSOCIATIONS NEED TO DO IN 2021 TO PREPARE FOR NEW DATA REQUIREMENTS
With many housing organisations only just getting to grips with GDPR, it may seem like data management might have had it fill of changes for a while. But with two new pieces of regulation set to bring significant change it’s vital that housing associations prepare. Here Clare Paterson from CP Data Protection explains more about the changes and also what four things registered providers can do today to get ahead of the curve.
“There are a couple of pieces of new legislation coming down the road for housing associations that will impact their responsibilities in terms of access to information” says Clare, “and although they are very different, my advice with how to respond is the same.”
“The first change is the ‘Building Safety Regulations’ in response to the Government’s ‘Building a Safer Future’ consultation, which was triggered by the tragedy at Grenfell tower in June 2017. The Government is proposing to introduce a new safety regime for buildings classified as high risk – essentially buildings over 6 storeys or 18 metres. There are many changes as a result of this new regime, but most notably for those responsible for data management in housing associations, there are some significant changes around storing and access to information on building records.
It became apparent that information on building safety and the construction materials used at Grenfell either didn’t exist or it wasn’t right. There were assumptions made and materials had been used in a way that they hadn’t been tested for, so there was no guarantee they were safe for how they were being used and as it turned out they absolutely weren’t safe and people tragically lost their lives as a result.
A key phrase to note under this new regime is the ‘golden thread’ which is about an organisation’s responsibility and ability to track information such as where building materials have come from and what they should be used for, what the testing was, a building’s layout and properties, and ensuring all this information is accessible. The main challenge for many housing associations is that much of this information will be stored in multiple places for existing assets and some of it won’t have been updated.
For tenants, they will now have a legal right to access this data, whereas at present they can’t usually access it. It’s the sort of information you could get from a Local Authority through the Freedom of Information Act (FOIA), but housing associations are not currently subject to FOIA.
In a similar vein the second regulatory change on data management relates to tenants’ access to data. The recent Social Housing White Paper lays out plans to provide tenants with FOIA-like access to housing association business information. The detail around this is quite vague at the moment but I suspect it will provide rights around accessing data on things such as stock numbers, investments, salaries, plans etc. Essentially it will align housing associations with the responsibilities of Public Authorities.”
So what can housing associations do to prepare?
The detail around both these changes to regulation isn’t all available yet, but from what we know there are certain things housing associations are going to have to be ready for. So here are Clare’s four tips to help you prepare for the change:
- Know your information: As soon as the rules on the ‘golden thread’ are nailed down start to pull your information together. For many housing associations this information is either not going to exist, or it certainly doesn’t exist in one place so now is the time to start harvesting what you can. Some of this will involve re-surveying buildings, using new technology to scan buildings and build 3D digital models and plans;
- Install good processes: Now is the time to develop good processes. So say Mrs Smith calls up and says she wants information about her building; we need to know how many floors are in her building to understand whether it comes under the regulation. Or is your business going to decide that you will provide this information on all assets? From a data protection perspective, how are you going to check the person requesting the data has a right to it (assuming the right is restricted to tenants) and how robust are those checks going to be? Validating requests will need to be a bit stronger than ‘tell me your postcode’, but not too invasive either;
- Preparing your workforce: In the same way that everyone who is customer -facing needs to understand the process for Subject Access Requests, everyone in a similar role will need to understand what they need to do for this ‘golden thread’ information. So training is going to be crucial to ensure requests don’t bounce around an organisation or get ignored. They need to know that the response isn’t ‘here you go, here’s everything’ nor is it ‘no, get lost’;
- Identify your co-ordinator: Every organisation will need someone to co-ordinate this and I suspect this will often fall into the lap of the data protection officer or similar because it’s broadly ‘information governance’. However there’s potentially a couple of challenges around resources with this. Firstly, capacity might be an issue as we don’t know what appetite there will be for these requests. Given the high profile nature of the Grenfell tragedy and the subsequent news coverage on cladding, it certainly has the potential to be big. Secondly, it’s about having the right resources, as there will be exemptions that practitioners will need to apply and justify. For example just like with FOI there may be an exemption for commercially sensitive data, but you can’t just say “well there’s a pound sign so I’m not disclosing it.” You’ve got to weigh up whether there’s likely to be harm in you disclosing it and if there is, weigh that up against the benefit to the public in general of disclosing it – it’s all a balancing act. The exemptions should come out with the legislation, but it’ll be down to practitioners to interpret and justify them. You need someone with a good eye who can see the nuances of this and not just cross out a name or pound sign.
Clare Paterson has over 20 years of experience in quality assurance and risk management, including around nine years specialising in data protection. Clare launched CP Data Protection with one clear objective – to offer businesses accessible, real-world advice and training on data protection issues.