Registered providers developing social housing alongside local authorities are widely acknowledged to be leading the implementation of smart tech in homes to help ensure occupants stay safe and to deliver cost efficiencies. In doing so, could they inadvertently be exposing themselves to scrutiny and enforcement from the UK's data protection regulator, the Information Commissioners' Office (ICO)?
In our experience, whilst other sectors may be less advanced in terms of the deployment of smart tech, they have perhaps been more alive to the need to identify and manage the data-related regulatory risk created by new technologies. In this article, we discuss some key issues to help registered providers avoid the 'bear traps', drawing on experience from other sectors.
Where's the data?
The first task is clearly to identify the personal data that is being generated or used by this technology. Consider a boiler that self-diagnoses based on its usage results (the commercial rationale being that a small quick fix that is repaired early is better for all parties than a larger more expensive fix that could have been prevented with earlier intervention). Each time the boiler is turned on by the occupant, this is logged and as a result, the registered provider has live data about when occupants may be at home, when they get up, when they go to bed and even whether they may be living in fuel poverty.
The same principle applies to the use of smart meters for utilities. When processing this data on a large scale and/or when dealing with vulnerable data subjects, this could easily generate commercial, regulatory and reputational risk for registered providers (as well as maybe an opportunity for those savvy enough to spot it).
This data may 'look' aggregated or anonymous but in practice it is very likely to qualify as personal data for the purposes of GDPR and the Data Protection Act 2018. In processing this personal data (even if they're not actively 'doing' anything with it), registered providers will take on the obligations of a data controller which are wide and potentially treacherous given the volume and nature of the data that will be collected from each project.
How should registered providers address data protection when implementing smart technology?
If you consider the trend towards developing fully connected communities of smart homes serviced by mobility hubs, the extent of the data that a registered provider may generate, collect and process becomes vast. The registered provider will need to develop a coordinated data strategy from the start of the project in order to efficiently and appropriately use this data for the benefit of the occupants, for its own commercial and operational benefit and to ensure that it is processing occupant personal data in accordance with applicable data protection legislation in order to manage risk.
In our experience, the 'day to day' data protection concerns of registered providers tend to be tricky with numerous subject access requests and similar issues requiring a reactive approach. However, our suggestion is that registered providers may need to 'recalibrate' their approach to data protection risk and should be proactively focusing on wider issues, particularly when looking to deploy smart technology to avoid possible 'bear traps' such as large penalties or regulatory intervention.
Our data protection checklist for registered providers
Records of processing activity
Have you considered and addressed digital datasets when compiling these records?
Data protection impact assessments
Innovative technology deployed across whole developments or communities is likely to trigger your obligations to carry out a Data Protection Impact Assessment. Have you got these covered?
Data processing and sharing
Who actually has the data and what are they doing with it? Where is it? Consider your technology supply chain and development partners. Have you got the right contract terms in place?
Potential breaches or security incidents
You may process personal data on a large scale using innovative technology, or process data about vulnerable people. Have you got plans in place to identify and deal with data breaches that are fit for purpose for this type of data?
Privacy notices
Have you notified occupants with a privacy notice explaining how you will process their personal data, for what purpose and the other third parties involved?
Profiling or predicting
Massive digital datasets generally have commercial value to someone able to interpret and manipulate them. Data protection issues are likely to become even more critical if registered providers exploit (or have plans to exploit) that data or allow someone else to do so, even if that is some way off in the future.
Under GDPR (which will continue to apply in the UK for now, regardless of Brexit) the ICO has the power to award fines of up to £17 million or 4% of group global turnover for non-compliance.
When deploying smart technology, registered providers should ensure that they are making smart data decisions or run the risk of facing ICO intervention and possible fines.
If you are interested in finding out more about the data protection implications in the use of smart technology in properties, get in touch.