During 2014/15, the ICO visited a number of residential sales and lettings organisations across the UK. It also conducted an online survey in conjunction with the National Association of Estate Agents (NAEA) and Association of Residential Letting Agents (ARLA).
In January 2016 the ICO published a report that identified common themes and challenges faced by residential sales and lettings organisations in complying with the DPA. The report found:
- There was little in the way of formal policies and procedures in place for data protection in the organisations visited
- There was little if any formal training for data protection
- There was a lack of awareness whether written contracts were in place containing information security clauses
- There was a lack of awareness about the importance of using technical security controls such as encryption to protect personal data if devices are lost or stolen
- The use of generic accounts to gain access to IT systems is widespread
- Where system access was password protected these were seldom complex. Passwords were also not changed regularly
- There was a lack of security in place for manual records containing personal data
- Where CCTV was used, the organisations were not displaying adequate notices to inform individuals that CCTV is in operation on the premises and had rarely included this purpose in their registration
- Adequate information for individuals about how the organisations were going to process their personal data was not always supplied
- Personal information was kept for longer than necessary as retention schedules were seldom in place.
Incredibly, only one of the organisations the ICO visited had a data protection policy in place. None of the agencies who permitted staff to work from home had a home or remote working policy, (outlining staff responsibilities towards personal data in these circumstances), and none provided guidance for staff on how paper documents and mobile devices should be stored off site or secured during transit
Unsurprisingly the report says: “It is essential to have written data protection policies and procedures in place to ensure compliance and promote good information handling”. Such organisations should:
- ensure policies consider the additional security risks associated with home / remote working where applicable, as well as staff working within the office environment
- ensure policies are approved by a director or senior manager, have a clearly identified owner and version number
- store policies on the organisation’s intranet or a shared network drive and communicate to all staff and
- review policies on a periodic basis and update when necessary
In addition, training is a key tool for ensuring staff awareness of data protection obligations, confidentiality and the security of personal data. Good practice in training should include data protection training as part of the induction process for all staff, annual data protection refresher training for staff who have access to personal data; and maintaining a record of training completed and reminding staff when their training is due.