The Regulator of Social Housing (RSH) recently published the final list of Tenant Satisfaction Measures (TSM) questions, that social housing providers have until April 2023 to get ready to start collecting data for – just over 6 months. I can imagine the stress and/or excitement that providers might be feeling about the TSM, and the challenges and opportunities they might bring. Stress and excitement are not the best ingredients for getting data protection right, though, unfortunately. So how to protect the people the TSM are designed to help, the tenants?
While it’s good to see in the RSH guidance that they warn against publishing TSM results that might identify individuals, ‘confidentiality’ is only a part of data protection.
I say this a lot, but the name “protection” doesn’t fully cover what’s involved – nowhere near.
Registered Providers preparing to collect data for the TSM will also need to consider the controls they put in place before, during, and after the data collection.
RPs who don’t consider these points beforehand, face several risks, including transferring data to a country or company without adequate safeguards in place, complaints about actual or perceived misuse of data, and having excess data released if/when a data breach happens.
The required controls aren’t any different to “regular” data handling, but there are factors that add to the usual difficulties of embedding data protection controls.
As well as the fact that many people often think of “data protection” as being only about security, when it’s so much more, providers might be rushing to put processes in place in time for April 2023, and providers might be tempted to get “more value” from the TSM data by combining it with existing data and profiling respondents.
“Data Protection” is about protecting people from potential discrimination and from any other harm to their rights, that can arise from the use of information about them. Even if discrimination is only suspected, not actually happening, it must still be investigated and explained, taking up time and resources.
I’m not suggesting all RPs are facing these risks, but some providers certainly are. To control these risks, follow these guidelines:
1. Identify and document the lawful basis for collecting and using TSM data (including any extra measures you may want to add.)
2. Ensure transparency with your customers about the whole process.
3. Build your processes to ensure all the data collected for the TSM is:
c) only used for the TSM, and
d) not kept too long.
4. Select appropriate companies/software to assist with the data collection and analysis, if required. Include legally-compliant Data Processor clauses in the contract.
5. Include details of the TSM process in the Record of Processing for accountability purposes.
6. And, last but by no means least, keep the data both secure and publish it in a way that preserves tenant confidentiality.
For more information on the breadth of data protection requirements, which are focussed on PURPOSE, not just security, read our recent post on How to Repurpose Data Lawfully.
We also have a free half-hour training session available on YouTube about The Purpose Paradox and Its Solution, and if you only have a couple of minutes, check out our 72-second video that explains why PURPOSE is the most important aspect of any data-related project.
The RSH documents for the TSM are available here: https://www.gov.uk/government/consultations/consultation-on-the-introduction-of-tenant-satisfaction-measures