For my example, we will use a property lettings company to illustrate where policy may be implemented.
External Policy Implications (Data Protection Act)
A company that lets, sells and rents houses will have many types of information that they will keep in their database, for example;
Their landlord customers data
- Personal Details (Name, Bank details).
- Address of the property they live at.
- Address of the property they are selling or letting.
- Contact details of for maintenance contractors.
- Letting Agreement.
- Tenancy Agreement and permissions.
Their lettings customers data
- Customer details (Name, Bank details).
- Address of the property.
- Conditions of their contract.
- How long they have lived at the property.
These are just two sets of multiple tables a letting company may keep about agreements between tenants and landlords. The data protection should first prevent the following;
- Information about the landlord being given to the tenant without the landlord’s permission, if the landlord has requested that, for example, their address is not shared with tenants.
- Tenants accessing the database to view other tenant information.
- The public accessing the database.
- The public being able to change the database.
- The data is not kept for longer than needed.
- The data is not backed up.
- Proper access control restricts access to the information.
- Data is not shared with other parties. (see Internal Policy Implications for exceptions)
- The data is obtained lawfully. Stealing or asking for information about a customer’s data should not be tolerated without their consent.
These are just a few examples of the principles of the data protection act that prevent the data being used unlawfully.
In addition it should also not be the responsibility of the landlord to hold information that relates to the property lettings company, This falls under keeping data secure as it could be argued that data that is not held by the company but is crucial to the agreement is the responsibility of the letting company, as if there was to be a dispute between the tenant and the landlord, it would be hard to retain the information if the landlord has the only copy.
Additionally, data that is old or outdated should be deleted or updated, if a lettings company was to retain information of past customers, if they were to face a breach, they could worsen the damage if the data leaked was harmful to a past customer.
Internal Policy Implications
In addition to the data protection act preventing the direct breach of client data, the computer misuse act should prevent the unauthorised access to systems that are publicly available as it is necessary that the property lettings company take the necessary precautions to ensure that the data is kept secure from anyone except those are permitted to see it through some form of access control.
Landlords are however allowed to pass the names of clients on to third parties so long as it is to ensure that proper billing addresses and such are directed to the client accordingly.
It is not appropriate to provide a landlord with a tenant’s references without first contacting the tenant that they (the lettings company) wish to do so.
Landlords cannot disclose to the public tenants who are in arrears as this is information about individuals, this can only be provided to tenants or anyone who is responsible legally for the tenant.
In general, landlords should make clear to tenants when they sign the tenancy when and how their information will be given out. Information about a tenant should be considered very personal and in cases where the data is needed to be disclosed in an emergency, it should be given out only with proper consideration for the law.