Yes. You can upload old tenants if they have provided you personal details (verbally or otherwise), for the purpose of a reference at the application stage of a tenancy. These details are therefore relevant to referencing for a contract of tenure. However, to make it absolutely clear to the tenant and for the avoidance of future doubt, we recommend that for new tenants you amend your tenancy agreements to include written authority with regards to Data Protection requirements.
You can upload old tenants if you do not have these written tenancy agreements in place as it is acceptable by the ICO Data Protection that your existing data can be used if:
‘The Processing is in accordance with the “Legitimate Interests” condition. So long as a tenant has provided details for a reference and has moved into your property (entered tenure with you), you are able to upload them to the LandlordReferencing database for referencing.’
The processing is necessary; in relation to a contract which the individual has entered into; or because the individual has asked for something to be done so they can enter into a contract.
ICO – The Basics (<— visit the ICO website)
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.
Firstly, it states that anyone who processes personal information must comply with eight principles, which make sure that personal information is:
The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.
Should an individual or organisation feel they’re being denied access to personal information they’re entitled to, or feel their information has not been handled according to the eight principles, they can contact the Information Commissioner’s Office for help. Complaints are usually dealt with informally, but if this isn’t possible, enforcement action can be taken.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Processing personal data for specified purposes
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
This requirement (the second data protection principle) aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.
There are clear links with other data protection principles – in particular the first principle, which requires personal data to be processed fairly and lawfully. If you obtain personal data for an unlawful purpose, for example, you will be in breach of both the first data protection principle and this one. However, if you comply with your obligations under the other data protection principles, you are also likely to comply with this principle, or at least you will not do anything that harms individuals.
In practice, the second data protection principle means that you must:
The Data Protection Act does not prohibit this, but it does place a limitation on it: the second data protection principle says, in effect, that personal data must not be processed for any purpose that is incompatible with the original purpose or purposes.
The Act clarifies to some extent what is meant by compatibility – it says that when deciding whether disclosing personal data is compatible with the purpose for which you obtained it, you should bear in mind the purposes for which the information is intended to be used by any person to whom it is disclosed.
An additional or different purpose may still be compatible with the original one. Because it can be difficult to distinguish clearly between purposes that are compatible and those that are not, we focus on whether the intended use of the information complies with the Act’s fair processing requirements. It would seem odd to conclude that processing personal data breached the Act on the basis of incompatibility if the organisation was using the information fairly.
If you wish to use or disclose personal data for a purpose that was not contemplated at the time of collection (and therefore not specified in a privacy notice), you have to consider whether this will be fair. If using or disclosing the information would be unfair because it would be outside what the individual concerned would reasonably expect, or would have an unjustified adverse effect on them, then you should regard the use or disclosure as incompatible with the purpose you obtained the information for.
The Act says that:
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
This is the third data protection principle. In practice, it means you should ensure that:
So you should identify the minimum amount of personal data you need to properly fulfill your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”.
Please read our Conditions Of Use before registering; here.