ICO says understanding of Data Protection needs to improve

Thursday 14 April 2016

The Information Commissioner's Office has released its findings from an enquiry aimed at gaining a better understanding of the data handling practices, information risks and challenges facing organisations in the residential sales and lettings sector.

Working closely with Christina Jones, Disciplinary Case Manager at NFoPP, they carried out 10 advisory visits (voluntary arrangements) to agents during 2014/15 and also sent out a comprehensive data protection survey which resulted in responses from 51 organisations across the UK.

In a nutshell the results show that agents need to be doing more in order to comply with the eight principles of data protection that all organisations must comply.

The report covered the following EIGHT areas (key findings are given below but please refer to full report for detailed findings):

  • Policies and Procedures
    Only one organisation visited had a data protection policy, but 71% of survey respondents said they did.
  • Data Protection Training
    Most of the organisations visited and 35% of survey respondents did not provide data protection training.
  • Third Party Contractors
    A number of organisations visited and 57% of respondents did have contracts in place with third party contractors.
  • Technical security controls including encryption and endpoint control
    Most organisations had not disabled USB ports and DVD/CD drives - a big risk to the security of personal data) and 78% of respondents to the survey reported using unencrypted devices or were unsure whether they were encrypted. 
  • System access and password requirements
    94% of of survey respondents and the majority of organisations visited had individual accounts and passwords for their staff, but passwords for approximately half were to too simple and staff should be required to change them more frequently. 
    Only 50% of organisations had controls in place to restrict staff's access to personal data according to job role. 
  • Storage of manual records and locked screens
    More organisations need to ensure files containing personal information are locked away overnight and provide document policies. A large proportion of those visited and 25% of survey respondents did not have adequate security in place. 
  • Fair processing, including CCTV
    50% of organisations visited and 91% of survey respondents didn't have a fair processing notice on their website explaining how customer data may be used or disclosed. Organisations faired better at providing verbal or written information about the use of personal data. 
  • Retention of personal data
    39% of letting agents were keeping electronic information indefinitely. They faired much better at disposing of paper records after a set period of time. 

The findings identified common themes and challenges faced by organisations and in the report the ICO provide many recommendations for how organisations can improve in the above areas, such as:

  • Having written policies in place which also consider home workers and are updated regularly with version numbers. 
  • Providing training on data protection as part of inductions, with regular refreshers
  • Use encryption software and lock down computer ports and drives. 
  • Reviewing personal data held, identifying how long it needs to be kept for and securely destroying data once passed statutory requirements.



If you'd like us to cover the subject of Data Protection in our Regional Meetings and Conferences, just get in contact with the ARLA Representative for your area.  

ICO have a really useful TOOLKIT comprising self assessments, training videos, stickers and postcards to help you improve and promote information rights practices in your organisation. Lots of additional guidance is also available. 

Should you have any questions about Data Protection or the report, please contact Christina Jones: christinajones@nfopp.co.uk