The Data Protection Act 2018 (the UK’s implementation of the European Union’s GDPR) imposes a duty on everyone who handles other individuals’ personal data to follow certain data protection principles. This includes licensors i.e. people who rent out parts of their home to lodgers but are not “official” landlords. Read on for an overview of the duties imposed by the current legislation on licensors and tips for how you can stay compliant.

What is personal data?

Personal data is any information which relates to an identifiable person (the data subject), and licensors are very likely to handle it. Personal data can be a name, address, identity document, number, Internet Protocol (IP) or an email address, as long as it can be used to identify a particular person.

How should lodgers' data be handled?

The main thing to know is that the following seven principles must be followed whenever you are collecting, processing or storing personal data:

  • Data processing must be lawful, fair, and transparent to your lodger(s);
  • Data must be processed for the legitimate purpose specified when it was collected;
  • Only as much data as is absolutely necessary for the purpose specified must be collected and processed;
  • Personal data must be accurate and up-to-date;
  • Personal data must be stored for only as long as necessary for the specified purpose;
  • Data must be processed in a way which ensures its security and integrity;
  • You (the data controller) are responsible for demonstrating compliance with these principles.

What should licensors do to stay compliant?

  • Follow the 7 data protection principles when storing and processing data.
  • Identify the lawful basis upon which you will be processing the lodger’s personal data. There are 6 of them, but the ones most likely to apply to you are:
  1. The performance of a contract — You’re processing the data in order to satisfy your obligations under the lodger licence agreement.
  2. The fulfilment of a legal duty — You’re processing the data so that you can comply with a legal requirement, such as conducting a right to rent check,
  3. The pursuit of a legitimate interest — You’re using the lodger’s personal data in a way that they would reasonably expect it to be used.
  4. The grant of consent — Your lodger has given clear consent for you to use their data for a specified purpose.
  5. Be upfront with your lodgers about why you are collecting their data and how you intend to use it. A simple data protection policy may be valuable, as the lodger can read it then sign it to acknowledge that they’ve understood how you handle their data.
  6. Inform your lodger(s) of their statutory rights e.g. that they can request sight of any personal information of theirs held by you or your agent, or that they can request to have all information you hold on them deleted.