Why we need to rethink the collection of resident data (or “why the NHF proposal could lead to problems”)

The National Housing Federation (NHF) recently released a proposal about the types of data they believe landlords would find useful to collect about their residents.

The web page is here, and the link at the bottom allow NHF members to download a longer document: https://www.housing.org.uk/resources/knowing-our-homes-initial-proposals-resident-information/

I was concerned to see a lack of acknowledgement of data protection. There is a brief mention of GDPR, but not in a particularly positive light unfortunately.

So I’m sharing a summary of the feedback I’ve sent to NatFed about their proposal. This may well fuel some heated discussions that I know are already happening, about collecting resident data, but I believe we need to reevaluate the value and purpose of what is often called EDI data collection.

The NHF’s overview of the key data points that it proposes social landlords should collect about their tenants is “based on feedback on the importance of balancing the gathering of information about residents against the need to respect tenants and residents privacy, and well as considering GDPR requirements” as explained on the NHF website. https://www.housing.org.uk/resources/knowing-our-homes-initial-proposals-resident-information/

While this reads as if privacy and the GDPR requirements are in conflict with gathering information about residents, it does not need to be that way.

Data Protection isn’t the red-tape you might think it is

In fact, the social housing sector is based on values that are closely aligned with data protection, even if it’s not always recognised. The failure to recognise the similarities is likely due to the many misunderstandings around what data protection encompasses.

The term data protection is very often misunderstood. Which is understandable because the term data protection does not ‘do what it says on the tin’. Data protection sounds like all we have to do is collect data and then keep it secure from being leaked.

This is so far from the truth.

Of course, data security is absolutely crucial, crucial for the safety of customers and therefore for the trust that people have in their landlord and the sector in general.

Security, though, is just a very small part of the Data Protection jigsaw. No matter how secure we keep personal data, if we don’t begin by identifying and documenting a lawful purpose for using that data, we are automatically breaching the law, and anything and everything done with that data is unlawful.

When considering asking residents about their potentially very private and sensitive information as proposed by the NHF, we should acknowledge that for some residents, it won’t matter to them how securely the data will be kept, because simply being asked the question makes them feel unsafe; it already feels like a violation of their privacy and it worries them, perhaps because of their personal circumstances or prejudice they face/have faced.

These residents would understandably want to know in detail how answering these questions is going to benefit them directly, because it is already harming them.

What is a lawful purpose/basis?

Any decision to collect or use personal data must be built on understanding its purpose, and the lawful basis that applies to that purpose.

Interestingly, while it’s often thought that data protection law focusses on data security, in the text of the principles section of the (UK)GDPR, the word “purpose” or “purposes” is used 12 times, while the word “security” is only used once.

Getting the first principle right is the foundation of every other principle; anything that a landlord does with personal data will be unlawful (i.e. breaching the (UK)GDPR) if the landlord does not have a clear, documented, valid, and fair lawful basis for that data processing, before the data is collected.

And, crucially, each purpose for which the data will be used, or “processed”, needs its own lawful basis.

Which means that there is no such thing as compliant data, only compliant purposes; where data has been collected for one purpose, which has a lawful basis, that data cannot simply be repurposed, or used for an additional purpose, without going back to square one and identifying and communicating a clear, valid, fair, and lawful basis for the new processing.

The true cost of breaching the (UK)GDPR for housing providers

While GDPR fines have been uncommon in the UK, the true cost of one or more landlords processing resident data unlawfully could not be calculated purely by the amount they may, or may not, be fined by the Information Commissioner.

Even happy customers would likely lose trust in their housing provider, if it was discovered even some of their data processing was unlawful, so we can imagine how customers who already feel marginalised by their landlord could feel in the same situation.

Loss of trust would have knock-on effects in every part of the customer/landlord relationship, and the time and resources needed to rebuild that trust could be immense. Time and resources would be required for responding to related complaints, increased numbers of subject access requests (where residents can ask for access to copies of the data held about them), and even claims for compensation for harm caused by unlawful data processing.

The effect on the provider’s governance and reputation would be far-reaching too.

So, can we collect EDI data lawfully?

The NHF proposal includes collecting:

  • ethnicity
  • age
  • gender
  • disability/long-term health conditions
  • support needs
  • language barriers
  • contact details, and
  • number of occupants in a home.


For some of these data points, there is a more clear purpose (for which the data is necessary) and therefore also a legal basis than for some of the other data points.

In my full response to the NHF I went into some detail on the potential available legal bases for all of the data points in their proposal.

But the short answer to the question “can the proposed tenant data be collected lawfully?”

– “Probably.”

However, no one can answer the question fully until we have clearly identified the purpose for each data use, and the level of necessity for each piece of data in relation to each purpose.

With unlimited resources, the sector could ensure 100% of its homes were safe, high quality and affordable 100% of the time, and be able to prove with data and statistics that its services were provided equitably and tailored to the individual needs of all residents 100% of the time. Unfortunately though, we need to prioritise where our resource, and therefore focus, goes.

Which comes back to the BSHR Action Plan’s first recommendation – “Every housing association, and the sector as a whole, should refocus on their core purpose and deliver against it.”

Collecting the proposed resident data will require a huge investment of resource and planning for housing providers to be able do it lawfully, before even considering the vast amounts of time and resource needed to undertake the data collection exercise.

What would the impact be if we don’t collect the data?

As a counterpoint, I would encourage the sector to weigh up the likely positive impact the data collection could have on achieving its core purpose, compared to the extent and costs of the input required.

In business and quality management, the Pareto Principle (or 80/20 rule) tells us that not all efforts provide equal outcomes. We need to carefully deploy our limited resources to have the biggest positive impact on achieving our core purpose.

For example, is it necessary to have all the proposed data to be able to provide safe, good quality homes, or is it only helpful, and there are there other ways resources could (or should) be used to better effect in achieving our core purpose?

Can the sector provide clean, safe, warm, good quality, affordable homes and appropriate services to residents without collecting this data? I believe it can.

In fact, we can maintain and improve EDI (equality/equity, diversity, and inclusion) without collecting and processing the proposed data; many methods are available including some quick wins, some of which are explained in my book, and in more detail in CP Data Protection’s EDI on-demand training, made with Consult Seated.

If the NHF or any housing association colleagues would like to explore this content further, I would love to hear from you, even if you disagree with my thoughts! Thank you for reading. You can contact me at Clare@cpdataprotection.com

Leave a Reply

Your email address will not be published. Required fields are marked *