In a post on the landlords’ website Property 118, National Landlords’ Alliance CEO Larry Sweeney has confirmed that his organisation is under investigation by the Information Commissioner’s Office in relation to a “Rogue Tenants Database” that’s referred to on his website.
There’s absolutely no information about this database on the Alliance’s website. For non-members the site just displays a message saying the information is available to members only.
It’s a matter of legitimate public concern (and of particular concern to tenants) how this database operates:
- Where does the information on the database come from?
- On what grounds is a tenant added to a list? How is “rogue tenant” defined?
- How does the Alliance ensure it’s correct?
- How does the Alliance ensure it’s up-to-date?
- On what grounds under the GDPR is the Alliance keeping the database at all?
- Who has access to the database, and how is it being kept secure?
- How can a tenant tell if they’ve been added to the database, and how can they challenge any incorrect information?
- Generally, what arrangements have the Alliance made to comply with the GDPR?
So it’s entirely appropriate for the ICO to enquire into this database, particularly given the limited information available on the Alliance’s website. Incorrect information might seriously affect someone’s ability to get access to housing.
Rather than engage sensibly with the investigation, Sweeney has doubled down and claimed that the ICO are targeting him because he’s repeatedly called for the resignation of Information Commissioner Elizabeth Denham over what he claims is a cover-up of mass breaches of the GDPR by local authorities:
So, is there any truth in his claims that local councils are committing mass breaches of the regulations, aided by the ICO? Sweeney has been less than forthcoming about the breaches he claims are occurring, but in another post on Property118 he gave us a clue.
On its landlord application this authority demands addresses of properties owned by the landlord applicant in other boroughs. If the Council wanted to check with other authorities with respect to a landlords conduct, perhaps this might be acceptable. but it is an abuse to demand addresses of landlords properties licensed elsewhere.
Sefton quote HMO regs as a justification for obtaining this information. Irrespective of that this is a clear GDPR breach demanding excessive information. If readers are not convinced yet, then look at what follows. The authority as per GDPR has a duty to maintain the data held as current and up to date. If a landlord disposes of his holdings outside of Sefton or purchases a property in Devon or London, the Council will not have the relevant data on file, unless the landlord decides to become involved in assisting Sefton remain GDPR compliant by updating them every time he purchases or sells a property. There is no legal obligation on him to do so.
So a landlord (in an area where selective licensing is in force) applies for a licence from his local authority. As part of that application he has to give the details of the properties he owns outside that authority’s area. Sweeney says this might be acceptable if the authority wanted to check the landlord’s conduct elsewhere. I agree. One of the problems that has been identified with licensing schemes is that rogue landlords are able to operate elsewhere with impunity – there’s not enough co-ordination between authorities. It’s unclear why he then goes on to say that it’s an abuse to ask for details of landlord’s properties licensed elsewhere.
Sweeney’s real complaint seems to be that, having obtained that information, the authority don’t keep it up to date – “The authority as per GDPR has a duty to maintain the data held as current and up to date” – and this seems to be the principal ground for his claims about mass GDPR breaches. If so, he’s profoundly misunderstood the requirements of the regulation. It’s true that Article 5 refers to information being kept up-to-date, but this isn’t an absolute requirement: it must be kept current only when necessary.
A landlord makes an application for a licence, and provides the information necessary for the authority to determine that application. The application is an event – once it’s been determined, there’s no need to keep collecting information. Indeed, given the requirement that data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” it’s hard to see why that information could lawfully be collected. Sweeney is barking up an imaginary tree.
Look at an analogous situation: a tenant wants to rent a house from a landlord. He gives a lot of (let’s face it, pretty intrusive) information about his financial, family and employment status to his potential landlord. If Sweeney’s position that information of that kind has to be kept current is correct, every landlord who’s obtained that information has committed an actionable breach of the GDPR if he hasn’t kept that information current. No tenant would agree to give his landlord a running commentary of that kind.
No, Sweeney’s complaints are futile, and if the ICO hasn’t mounted an investigation it’s because he hasn’t identified a clear breach of the GDPR. He’s spent weeks demanding the ICO investigate others, and now it’s time for him to co-operate fully into their investigation into him.
Like what you’ve read? Why not buy me a coffee?