DP breech by Student Letting Agency

[yourturntopay]

Please may I ask for some advice regarding a data protection breech by a letting agency.

 

My daughter is a student and about to move into a house she is renting with 2 other students.

Over the past few weeks the letting agency has been the cause of a great deal of confusion and frustration so I would deeply appreciate any thoughts/advice/suggestions on how to proceed.

 

I’ve broken things down into a time line as I thought it would be easier to understand the situation this way.

 

May 2018

House found and tenancy applied for.

D didn’t receive paperwork as promised from LA so queried why.

LA confirmed they had used incorrect email address (LA had incorrectly input email address on their system).

LA amends D’s email address and emails tenancy agreement to D.

D signs and returns to LA.

 

07 June 2018

I receive guarantor contract, I sign and send back

D paid £700 deposit to landlord via internet banking.

Tenancy agreed to commence on 07 August 2018.

 

05 July 2018

D sets up account with bill company (Akasa) for her and 2 other tenants.

 

19 July 2018

D receives an email and text message from Glide informing her that LA had passed on her personal information to them (Glide) and requested an account is set up.

 

D phoned Glide to ask why an account had been set up as she had not requested this.

Glide informed D that LA had sent them her information as previous tenants had used Glide.

D advised she did not know why the LA had for this as she had not given consent for her personal information to be released.

Informed Glide that she had already instructed Akasa to deal with bills and did not want or need an account with Glide.

 

Glide confirmed that an account had been opened in her name but if Akasa took over before the tenancy commenced Glide would not charge her.

D confirmed with Glide she did not want their services and was remaining with Akasa. D did not sign any agreement with Glide for an account to be set up.

 

D then emailed Akasa to ensure the switch was in place for them to commence as bill provider when the tenancy commenced on 07 August. Akasa confirmed everything was in place and would commence as agreed.

 

27 July 2018

Akasa emailed D to confirm switch would take place on 05 August 2018 and payment would be requested for same day.

Payment method set up by all 3 tenants.

 

31 July 2018

D emailed LA asking for meter reading as Akasa informed D the readings were needed to ensure double charging did not occur.

D informed LA that she had instructed Akasa as bill provider but because they (LA) had instructed Glide to set an account there was a risk that D could be charged by both companies.

 

D informed LA that this situation had occurred because their (LA’s) actions.

D informed LA that she did not want to use Glide and wanted to remain with Akasa.

 

LA stated that meter reading would be given on the first day of the tenancy to ensure they were not charged for any use prior to commencement of tenancy.

LA did not explain why they have given Glide her personal information without her authority or knowledge.

 

06 August 2018

Tenancy is to commence next day but D is not moving in until la later date as she in in Thailand.

LA sent email marked as urgent to D at 2pm saying she had to complete some paperwork or the keys would not released the keys to other 2 tenants in the morning.

 

D asked why this hadn’t been requested before and explained she didn’t have the info available due to being in Thailand.

LA insisted forms had been sent and D was at fault as she had failed to return the paperwork that was emailed to her and she had to complete these forms or the tenancy would not go ahead.

 

D questioned when and how paperwork was sent to her.

LA confirmed the date the paperwork was emailed to D and she realised the LA had sent it to an incorrect email address.

D reminded LA of their error with the email address and that they had sent her the tenancy agreement only.

D was unaware there was further paperwork that she needed to complete and she did not did not receive any requests for missing paperwork.

 

As D was moving to an area without internet connection she asked me to sort out the paperwork on her behalf.

 

Whilst completing paperwork I note that LA requests permission for personal info to be passed to Glide.

D had not received this form so LA never had permission to share any of D’s personal info and should not have done so.

 

Forms completed and emailed with forms attached sent to LA asking why they had left it so late to check they had all the required paperwork and why D’s info had been given to Glide without her authorisation or knowledge.

LA said they would respond once they had looked into the matter but never did.

 

07 August 2018

Tenancy commences and the other 2 tenants move into house.

 

D received an email from Glide requesting payment for services used.

Glide does not explain what charges are for.

D does not have info about account so is not able to check why she has been billed etc.

 

Questions

Am I right in believing that LA has breeched data protection rules by releasing her information to Glide without permission?

 

What action can D take against LA regarding DP breech and how does she do this?

 

What can D do about Glide and their request for payment?

 

Only info D has about tenancy deposit scheme is the name of deposit scheme that’s stated in her tenancy agreement.

After checking the deposit has been secured via mydeposits.

D has not received the tenancy deposit certificate or any information about the scheme etc.

 

Can she take any further action regarding this? If she what and how can she do this?

Edited September 25, 2018 by dx100uk
spacing

[ericsbrother]

I would;d be telling glide that they have no contract and the information they have been given is both incorrect an from a source that has no authority to offer anything on her behalf and any continued processing of her data will be reported to the ICO.

 

As this is all the fault of the la they are the ones you should be going after. if they are a national chain then head office should know otherwise i would be letting the actual landlord know there has been a massive foul up and they may end up footing the bill that is above any amount charged by Akasa as LA are their agents and not in the employ of the tenant.

 

She is in a position to sue fro the breach but it might be better to first make a complaint to whoever is the head of the company and ask them to desist from processing the incorrect data and to delete it. Also ask for proof that the incorrect data has now been expunged and a suitable instruction to glide to do the same has been sent. the report to the ICO

 

As for deposit, LA may hold it and pay an insurance bond to the scheme. That is normal for bigger LA's

Edited August 23, 2018 by Andyorch
Paras

[yourturntopay]

Thank you very much for the helpful response and advice, which we are following.

 

Glide has been advised of the above and they argued a bit but backed down and have withdrawn the charges and closed the accoun so thank you for helping with this, it’s a huge relief to have this resolved.

 

This leaves us with the data breach and deposit issue.

 

A complaint has been made to the LA which they acknowledged receipt of. LA said they would investigate the concerns within the complaint and let us know the outcome of the investigation. This was over 3 weeks ago and the LA have not responded to the complaint so remains unresolved

 

The LA is an independent student letting agency and according to their website they have a DPO.

Should we write to DPO or to the managing director to express our concern that they have recorded incorrect data and also passed on personal information without authorisation and we are reporting this breach to ICO.

 

Do we need to give them any more time to respond or can we move forward with our complaint to the ICO.

Do we include the landlord in this communication?

 

In regards to the deposit, D paid her deposit to the landlord on 01 June 2018.

Neither LA or LL has confirmed or supplied any documentation regarding the deposit being secured.

 

After rechecking her tenancy agreement we noted the name of the company to be used to secure the deposit so we did an online search for the company which confirmed the deposit has been secured.

 

The online check asked for her rental postcode, surname and month/year deposit was paid, does this mean the LL/LA has secured each of the tenants deposits indidvually?. Lead tenant has received an email advising that the deposit had been secured and the deposit certificate and information regarding the scheme would be sent to them.

This has not happened.

[steveod]

There are 2 breaches possibly.

 

One by the LA.

The other by Glide depending on what info they provided in their initial communication.

 

The LA misused data by sending to incorrect address.

LA passed info onto Glide.

This did not necessarily need consent as may be set out in the contract as part of the performance of the contract so will all depend on the wording of the actual contract.

 

Glide probably didn’t provide the info required under the GDPR article 14 so misused the personal data , but it depends on what was in their initial text and email.

[yourturntopay]

We have checked the tenancy agreement and this is the only mention regarding utilities

 

The Tenant must establish accounts and pay for all utilities and council tax (where applicable) to the relevant parties or notify the council (where applicable) of any council tax exemptions.

 

D set up the bill payments with Akasa as she was not aware of Glide’s involvement with the previous tenants.

 

Glide informed D that LA had instructed them to set up an account for D. We have now confirmed that LA received commission for every referral made to Glide. Could this be perceived as selling data as the LA has not declared they receive payment for referrering tenants to Glide.

[steveod]

It doesn’t matter whether the LA just pass the details or sell them as long as the data subject is notified by both the LA and the recipient of the data in accordance with the GDPR. By the sounds of it this has not happened and so D has a cause of action for compensation against both the LA and Glide

[yourturntopay]

Thank you for all the advice and support, it is very much appreciated.

 

D has now moved into her new home and has met the landlord who was very pleasant and accommodating.

The issue regarding the deposit has been sorted, the landlord dealt with the deposit registration and has made sure D has all the required paperwork.

 

However the LA are still being very difficult.

They are not communicating with any of the tenants.

D contacted them as she needed to know the arrangements for accessing the property but they never responded.

Fortunately she had the contact details for the landlord and he met us at the property to give D her key and show her around etc.

 

We are in the process of making a SAR to glide and the LA.

The LA’s website gives a lot of info regarding GPDR and who their DPO is, what their registration number is, how to contact them etc . However upon checking this info on the ICO Data protection register the LA registration number and address is different to address stated on the LA website.

 

Is it of any relevance that the LA website and ICO have different contact addresses for the DPO?

 

Given the confusion over the addresses should we send the SAR to the LA to the address used on all their correspondence? (They are an independent LA and only have one branch)

[AnotherLegend]

We are in the process of making a SAR to glide and the LA. The LA’s website gives a lot of info regarding GPDR and who their DPO is, what their registration number is, how to contact them etc . However upon checking this info on the ICO Data protection register the LA registration number and address is different to address stated on the LA website.

 

Is it of any relevance that the LA website and ICO have different contact addresses for the DPO?

 

You can always send a SAR to the person who dealt with the tenancy and ask for it to be passed to their data protection officer or the person who deals with data protection matters.

[yourturntopay]

May I ask for some more advice pretty please? D sent a SAR to Glide and they have rrequsted her to confirm her date of birth and mobile phone number so they can proceed with her SAR.

 

Glide should not have any information on D as she never given her peromossion for LA to share for information with Glide. She has sent the SAR to see what personal information the LA gave to Glide.

 

Is it reasonable for Glide to ask for this information?

Can Glide refuse to proceed with the SAR if she doesn’t supply the requested information

Please could you advise on how she should respond/proceed?

 

Many thanks for all advice/help/suggestions given

Blank.pdf

[AnotherLegend]

It's reasonable to ask for this information to verify the person making the right of request is actually that person.

 

Every letting agent agreement I've ever seen has given permission for data to be shared with third parties. Are you 100% sure that the agreement did not allow this?

[yourturntopay]

Yes, her tenancy agreement states her personal information maybe passed to ulitity companies if there outstanding bills after the tenancy terminates but nothing about information sharing prior to the tenancy commencing.

 

They should have sent her a form to sign agreeing to her information being shared but they sent the form to an incorrect email address so she never received it. We have confirmation of this

[dx100uk]

we always advise sending a copy of the relevant ctax bill naming the person at the address they want it returned too.

[yourturntopay]

Unfortunately D has not received a CT bill yet as she only moved in to the student house 10 days ago. I know she has provided her details to the council as they requested proof she is a student.

 

Should she wait until she receives her CT bill and send this to Glide (she will call her local council and request a CT bill is sent to her ASAP)

 

Alternatively could D send Glide a copy of her tenancy agreement instead - what do you advise?

 

What has us slightly baffled is why Glide are asking for her DOB and mobile phone number to confirm her identity. Consent has never been given for Glide to have this information. We are intrigued about what information Glide has for D and how this was obtained.

 

Does Glide have a responsibility to ensure any personal information they receive from referrers has been given with the owners knowledge and consent?

 

Should the LA disclose they receive a commission payment from Gide for every referral they make?

 

Does Glide have the right to set up an account and demand payment from an individual without ensuring they have given their consent for this?

 

Thank you very much for your kind assistance and advice with this matter, it’s very much appreciated and valued

[AnotherLegend]

Yes, her tenancy agreement states her personal information maybe passed to ulitity companies if there outstanding bills after the tenancy terminates but nothing about information sharing prior to the tenancy commencing.

 

They should have sent her a form to sign agreeing to her information being shared but they sent the form to an incorrect email address so she never received it. We have confirmation of this

 

Just to make you aware, a data controller does not need explicit permission to provide personal data to a third party (if that third party is a data processor).

 

However, it should be listed in the LA's privacy policy who they share personal data with and some basis for this.

[yourturntopay]

My daughter has had a lot of email tennis with Glide as they were refusing to give her all the data they held on her and were asking her to confirm personal information they should never have been given.

 

She contacted the ICO for advice who recommended she submit a complaint but before she could do that Glide sent her an email apologising for their errors and explaining what steps they have taken to correct their errors and ensure staff are trained to deal with SAR and GDPR matters correctly.

 

She is now considering what to do next.

She has not received the SAR from the LA and so I think she is waiting for that to come through before deciding her next move.

 

Any suggestions?

 

Just one point that I’m struggling with is Glide’s insistence about the right to have her personal information.

 

Glide may have been the previous tenants bill provider but they moved a couple of months before my daughter’s tenancy began.

 

My daughter was completely unaware of Glide’s involvement at the property so had made alternative arrangements that commenced a day before her tenancy started.

 

The first she knew of Glide was when they informed her an account had been set up in her name for bill payment.

 

She contacted Glide and told them she had not consented to her personal information being given to them or for them to create an account in her name.

 

She informed them another bill agency had been instructed and was ready to commence when the tenancy began.

 

Glide totally ignored this and a couple of days into the tenancy sent her a bill requesting advance payment for ultilty usage - even though the other company was in situ and taken over as bill supplier.

 

Glide eventually withdrew their request for payment but it took a lot of arguing and determination on my daughters part.

 

The issue I have is that Glide were never the supplier to my daughter so why do they insist they had the right to her information and to charge her?

 

Is this an ICO issue and/or she should report Glide?

Glide response 17.09.2018.pdf

[dx100uk]

I think an ico follow up call is in order here

 

it might be better if you upload that letter to ONE multipage PDF please so we can zoom please

[yourturntopay]

Hi DX, I’m hoping I’ve uploaded the file correctly.

Glide response 25.09.2018.pdf

[AnotherLegend]

Is this an ICO issue and/or she should report Glide?

 

Report them for what though? Their response looks well constructed and completely compliant with the new DPA.

 

It's a common misconception that companies need your explicit consent to process your personal data.

 

Your issue is that the LA passed your daughter's personal data over to Glide, a third party data controller. So if you raise a complaint, you will need to be able to show that:

 

1) The LA did not have explicit permission to transfer your daughter's personal data to Glide

 

2) The LA cannot rely on the 'legitimate interests' basis for processing your daughter's personal data (this will be difficult to do in my opinion)

[yourturntopay]

Glide still have personal info that they are not sharing. We’ve checked with the ICO and my daughter is entitled to this information and say glide should send this but they are refusing to.

 

The ICO have told us to lodge a complaint.

[AnotherLegend]

Glide still have personal info that they are not sharing.

 

Which personal data are you referring to?

 

If you're looking for the email between the LA and Glide containing the spreadsheet, then you will not get this because:

 

1) Your daughter is not the data subject of the email

 

2) Your daughter's personal data is not in the actual wording of the email

 

3) The email contains the personal data of other people and providing it to you would infringe their rights

[yourturntopay]

Why is point 2 hard to prove?

 

My daughter was never asked if she wanted Glide’s services, she never consented to an account being set up in her name.

 

Her tenancy agreement only states that the LA ma pass on her information if there unpaid charges to utility companies.

 

Glide set up an account in her name without her authority or knowledge and sent her a payment request for services prior to her tenancy commencing (the info we’ve received showed they were fully aware of the tenancy start date but still tried charging her before this date)

 

Glide never supplied any services to my daughter as she gadxarraged another company to commence a day before the tenancy so Glide never had reason to have her information or to charge her.

 

The LA also knew this and about the other bill company but gave her details to Glide anyhow as they receive commsion for every person they refer

 

that applies to the spreadsheet but they supplied a redacted version of that. How do we know what is and isn’t in the email as we haven’t seen it.

 

The ICO said the email should be redacted and sent to us as the spreadsheet was attached to the email so it’s reasonable to believe that the email may have information about her.

 

If they have nothing to hide them why don’t they do what they did with the spreadsheet data and redact it and send her that version

 

We don’t trust Glide, they have created multiple reasons not to comply and ignored requests then out of the blue their DPO sent her an email admitting they had made mistakes and not responded to her SAR correctly or sent all the information they should have.

 

If she hadn't been so determined about accessing her data and hadn’t challenged Glide she never would have gotten that apology from Glide.

 

How many other SAR has Glide ncorrectly habdled and if they can’t get that right what other errors are they making?

[AnotherLegend]

Why is point 2 hard to prove?

 

Because as a utility supplier, they will continue providing a service until they are told otherwise. In order for them to know who to charge, they will need to process personal data and they have a legitimate reason to do this (someone cannot live there and not pay the utility bills).

 

I'll give you a very simple example - you buy a property and move in. The existing gas supplier will continue to provide gas, even if you haven't agreed to them setting up an account or providing you with a service. This is known as deemed consent.

 

Your issue here is going to be with the LA. If you can show your daughter did not give explicit consent for the LA to pass her personal data to Glide, her rights will have been infringed.

 

How do we know what is and isn’t in the email as we haven’t seen it.

 

The ICO is not an investigative body - they will not demand to see every email. They will contact Glide and might ask why they have not provided this email, and the answer will be the same as has been provided to you. The ICO will accept this explanation, unless you can produce evidence otherwise.

 

The ICO said the email should be redacted and sent to us as the spreadsheet was attached to the email so it’s reasonable to believe that the email may have information about her.

 

To put it simply, if your daughter cannot be identified from the wording of that email, there is no legal reason for Glide to provide it (redacted or not).

 

If they have nothing to hide them why don’t they do what they did with the spreadsheet data and redact it and send her that version

 

Because there is no legal basis for providing that email unless your daughter can be identified from it.

 

Glide have stated this and the ICO will accept this as an explanation, unless you can prove otherwise.

 

We don’t trust Glide, they have created multiple reasons not to comply and ignored requests then out of the blue their DPO sent her an email admitting they had made mistakes and not responded to her SAR correctly or sent all the information they should have.

 

The DPO appeared to be responding to you, so I don't see how it's out of the blue?

 

Glide have admitted making a mistake, they corrected it, explained why it happened and what steps they will take to ensure it won't happen again. The ICO will see this as a satisfactory answer and will probably provide further guidance about dealing with personal data which is mixed in with the personal data of other individuals.

 

GDPR is not simple and companies are being extremely cautious because of the potential fines that can be imposed.

 

How many other SAR has Glide ncorrectly habdled and if they can’t get that right what other errors are they making?

 

You can make a FOI request to the ICO and ask this question.

[yourturntopay]

I understand the example and totally agree.

 

Where this differs from this example was Glide were not the utility provider when the tenancy commenced as my daughter had arranged for a different bill company to oversee this. Glide were made aware of this in July, which was a couple of weeks prior to the tenancy commencing. When Glide wrote to my daughter to inform her an account had been set up in her name. She immediately informed Glide that she did not require their services and that another company would be their supplier upon commement of the tenancy. My daughter gave full details and sent confirmation of the other company and their intention to supply services when the tenancy commenced.

 

Did Glide not have a responsibility to check they were still supplying services to the property and had a right to ask for payment before sent my daughter a request for payment. Glide did not not check they were still the supplier although they had received confirmation the other company was supplying utility services to the property.

 

Could it not be argued that Glide misused her data by requesting payment for services they never supplied. As I understand it Glide failed to process her data correctly by not closing down the account she never asked for or needed and misused her personal information to request payment that was not dus.

[AnotherLegend]

Where this differs from this example was Glide were not the utility provider when the tenancy commenced as my daughter had arranged for a different bill company to oversee this. Glide were made aware of this in July, which was a couple of weeks prior to the tenancy commencing. When Glide wrote to my daughter to inform her an account had been set up in her name. She immediately informed Glide that she did not require their services and that another company would be their supplier upon commement of the tenancy. My daughter gave full details and sent confirmation of the other company and their intention to supply services when the tenancy commenced.

 

Did Glide not have a responsibility to check they were still supplying services to the property and had a right to ask for payment before sent my daughter a request for payment. Did they not misuse her data by charging her for services she didn’t recieve. Glide did not not check they were still the supplier although they had received confirmation the other company was supplying utility services to the property.

 

These issues, in my opinion, aren't anything to do with data protection.

 

You should look at OFGEM's rules and possibly OFCOM (if telecom is involved as well) as I would imagine there are some rule breaches that have occurred regarding the transfer of service.

 

Could it not be argued that Glide misused her data by requesting payment for services they never supplied. As I understand it Glide failed to process her data correctly by not closing down the account she never asked for or needed and misused her personal information to request payment that was not dus.

 

I don't believe this is a data breach or misuse of personal data.

 

However, you need to look at the LA's relationship with Glide. There is an incentive for the LA (commission) to sign up tenants with Glide, so did the LA deliberately try to keep your daughter with Glide, despite being told she was using Akasa?

 

There are 3 things you need to look at:

 

1) Why did the LA provide your daughter's info to Glide without her permission?

 

2) Why did Glide still try to provide a service or bill your daughter after being told that she was not using their services (I believe this is an OFGEM complaint)?

 

3) Did the LA fail to ensure that Glide were made aware that your daughter was not going to use their services?

[yourturntopay]

Thank you for your very helpful and insightful posts. I am extremely grateful for your assistance and suggestions. Thank you

 

We are waiting for the LA to respond to her SAR. Once we have had the opportunity to go through all of the info they send we will be in a better position to understand what has and hasn’t happened.

 

We will keep you updated,this has certainly been very eye opening.