Letting agent registration: privacy impact assessment

Assessment considering any potential privacy impacts that result from the implementation of the registration of letting agents.


Registration of Letting Agents - Privacy Impact Assessment (PIA)

Purpose

1. The purpose of this document is to report on, and assess against, any potential privacy impacts that result from the implementation of the registration of letting agents.

Lead official, business area

2. Charlotte McHaffie, Private Rented Sector Policy Team, Better Homes Division, Housing and Social Justice Directorate.

Project overview

3. Part 4 of the Housing (Scotland) Act 2014 (2014 Act) allows for a regulatory framework for letting agents to be introduced to help improve standards of practice and the service that landlords and tenants receive. This framework includes:

  • a mandatory register of letting agents with an associated 'fit and proper' person test;
  • powers for Scottish Ministers to prescribe training requirements that must be met to be admitted to the register;
  • a statutory code of practice all letting agents must follow;
  • a way for tenants and landlords to resolve complaints against letting agents for breaches of the statutory Code of Practice through the new specialist First-tier Tribunal for Scotland Housing and Property Chamber (Housing Tribunal); and
  • powers for Scottish Ministers to obtain information and of inspection to support monitoring of compliance and enforcement.

Objective

4. The objective of introducing letting agent regulation is to help increase overall standards of service and professionalism within the letting agent industry, whilst providing customers of letting agents with an effective way to resolve complaints against letting agents for breaches of the statutory Code of Practice through the Housing Tribunal.

5. This policy contributes to the Scottish Government's work on improving standards and quality within the Scottish private rented sector ( PRS) in line with its strategy for the PRS - A Place to Stay, A Place to Call Home.

6. The objective fits with the Scottish Government's strategic 'Safer and Stronger Scotland' objective. This helps local communities to flourish, becoming stronger, safer places to live, offering improved opportunities and better quality of life.

Registration

7. Scottish Ministers will establish and maintain the mandatory register of letting agents in Scotland. As part of this they will gather and assess information from relevant persons to determine whether an applicant is considered to be a 'fit and proper' person to carry out letting agency work and has met the necessary training requirements to be admitted.

8. Section 29 and 30 of the 2014 Act specifies certain information that must be contained within an entry to the mandatory register and provided as part of an application. The Act also provides powers for Scottish Ministers to require additional information through regulations.

9. The register must contain an entry for each letting agent including the name and address of each person entered in the register and any other information relating to that person Scottish Ministers may specify by regulations. The register will be publically available.

10. This privacy impact has been assessed against the eight principles of the Data Protection Act 1998 (1998 Act). This is summarised in the appendix to this PIA.

Personal data to be processed

11. A variety of information will be handled in administering registration, some of which will be publically available and some of which will be restricted to those administering the register. Details of the data that we propose collecting and publishing in an entry within the public register and the application are provided below.

A. Entry within the publically available register:

  • Name and business address of the business/person
  • Trading name if different from the legal entity
  • Website (if any) and telephone number (where the applicant has agreed for this to be published)
  • Letting agent registration number
  • Name, trading name and business address of those refused/removed registration for 12 months from final refusal.

B. Applicant information (restricted to those administering the register).

Information to be published within the publically available register

12. Section 29 of the 2014 Act sets out certain information that must be published within an entry to the register of letting agents and gives Scottish Ministers regulation making powers to prescribe additional information relating to that person. Section 29 requires Ministers to publish the name and address of the person in the register. Depending on the legal structure of the business registered this may include personal information e.g. their name, home address and telephone number (where the applicant has agreed for their number to be published).

13. Section 42 of the 2014 Act requires that, where a person is refused registration or removed from the register, this fact must be noted on the publically available register for 12 months after final refusal. Where Scottish Ministers are considering refusing to enter a person or to remove a person from the register, the person is given 28 days to make written representations before a final decision is made. Applicants and registered letting agents also have a right of appeal to the First-tier Tribunal where Scottish Ministers have refused their application or are revoking their registration.

14. Where registration is refused or removed, an entry to the public register would note this in relation to the name, business address and the trading name if different from the legal entity of the person in question. This information will enable those making use of the public register to clearly identify if a specific letting agency business is not allowed to undertake letting agency work. This will help to protect consumers from using, or continuing to use, agents who are not allowed to undertake letting agency work.

15. The publishing of personal information ( i.e. name and address) in the entry to the register is exempt, by virtue of section 34 of the Data Protection Act 1998, from the subject information provisions, the fourth data protection act principle and section 14(1) to (3), and the non-disclosure provisions of that Act.

Information to be collected as part of an application for registration

16. In order to administer the Register of letting agents and determine whether an applicant is a fit and proper person to be admitted to the Register, the Scottish Government will need to collect a range of personal information about:

i. the most senior person within an applicant's organisation;
ii. persons who own 25% or more of the applicant's organisation; and
iii. persons directly concerned with the control or governance of the applicant's letting agency work.

17. We intend to collect the following personal information about each of the persons indicated in paragraph 14:

a) Name

b) Date of birth

c) Current home address

d) Contact details - telephone number and e-mail address

e) Home addresses for the last five years if different from current address

f) Other names by which the person has been known

g) Unspent convictions involving:

i. fraud and dishonesty;
ii. violence;
iii. drugs;
iv. firearms;
v. sexual offence

h) whether they have practised unlawful discrimination on the grounds of any of the protected characteristics in Part 2 of the Equality Act 2010.

i) whether they have contravened any provision of -

i. the law relating to housing;
ii. landlord and tenant law;
iii. the law relating to debt.

j) any Letting Agent Enforcement Orders made against the applicant.

k) details of any previous application made by the applicant under section 30 of the Act which has been refused by Scottish Ministers.

l) details of any removal of that person from the register by Scottish Ministers

m) whether the applicant is a member of the Law Society of Scotland and the identification number allocated by that society

n) any licence, voluntary accreditation or other registration held by the applicant which has been refused or revoked.

o) details of the training undertaken by an individual in relation to the training prescribed by Scottish Ministers, for example name, job title, qualification held, awarding body or training provider.

How this data will be processed

Information gathering and verification

18. Information will be gathered from applicants through a letting agent registration application form, which will be completed online.

19. Where possible we intend to use publically available information to verify the information that is provided. For example, through Companies House, Register of Insolvencies, Financial Conduct Authority and Disclosure Scotland.

20. Access to information collected from applicants will be restricted to:

  • staff processing applications;
  • the IT system provider; and
  • those advising and making application decisions, including Scottish Ministers.

21. The application process will primarily be conducted online through a bespoke IT system that is in the early stages of development. However, further verification and clarification of information may be undertaken by e-mail and through the post.

22. All Scottish Government staff are required to undertake mandatory training on data protection annually. This training provides a practical summary of the Act, defines personal data and sensitive personal data, outlines our legal obligations, provides an overview of best practice on handling personal data and requests for access to that data (called Subject Access Requests). This training provides a solid basis for ensuring information collected and processed as part of the letting agent register is handled correctly.

Storage and disposal

23. Information is intended to be stored on the Letting Agent Register IT system. This system is likely to be provided the Registers of Scotland (RoS), a non-ministerial department of the Scottish Government. RoS routinely handle and manage data and have to comply with Data Protection requirements. Some information relating to the processing of applications may also be held within a restricted file(s) within the Scottish Government's official electronic record and data management system.

24. Personal information will only be held as long as necessary for the effective administration of the regulatory system. We intend to use the following retention timescales:

  • Retain all personal details relating to an applicant's registration for 4 years - this will allow those administering the system to check the accuracy of the information provided should evidence to the contrary be found either during registration or re-registration (registration is for a 3 year period).
  • Personal information will also be retained where a registered letting agent's registration is being reviewed/investigated until the end of that process.
  • Retain personal details of applicants who have been refused registration and registered agents who have had their registration revoked for 10 years.

Data controllers/managers and processing

25. The Scottish Ministers will be the data controllers and it will be managed on their behalf by the Private Rented Sector Regulation Team within the Scottish Government's Better Homes Division.

26. The IT system is intended to assist in automatically checking the accuracy of some of the information provided against publically available information for example through Companies House and Register of Insolvencies. Where discrepancies or anomalies are identified the system would flag these for further manual checking and consideration.

27. Processes for the administration of applications have yet to be finalised, however, it is anticipated that staff within the PRS Regulation team will undertake some manual checking of information and where necessary request information from relevant third parties. For example, Disclosure Scotland, Local Authority Landlord Registration Teams, the First-tier Tribunal.

28. In addition, Scottish Ministers have powers under the 2014 Act to obtain information and of inspections that can be used to assist in the monitoring of compliance. A key strand of our implementation plans include the development of a monitoring compliance and enforcement framework which will set out the steps Ministers will take alongside how the Scottish Government will make use of its powers of inspection. For example in relation to monitoring compliance through random sampling. This framework is currently being developed.

29. Under section 37 of the 2014 Act, registered letting agents must notify Scottish Ministers about any changes of circumstances in writing as soon as practicable. We are currently considering how to streamline and simplify this process. For example, using an online form or self-service updating of records.

Information sharing protocols.

30. Section 59 of the 2014 Act enables Scottish Ministers to delegate any of their functions in relation to letting agents to such persons as they determine. Scottish Ministers intend to make use of this provision and delegate holding of the letting agent register to Registers of Scotland. How information is to be handled between the two organisations will be subject to a formal agreement.

31. As part of effectively administering the fit and proper person requirements for registration set out in section 34 of the 2014 Act, we may need to approach external organisations to verify information or gather further information in order to determine the application. This may require the disclosure of some personal information. For example, the name and home address of an individual.

32. To ensure information sharing is undertaken appropriately and within the requirements of the Data Protection Act we intend to develop Information Sharing Protocols with a number of relevant organisations including:

  • Local authority landlord registration teams
  • Police Scotland;
  • Trading Standards;
  • Registers of Scotland;
  • Law Society of Scotland;
  • Membership bodies e.g. Association of Residential Letting Agents; RICS;
  • First-tier Tribunal;
  • other relevant registers Scottish Ministers have a duty to maintain e.g. Property Factors Registration; and
  • Awarding organisations and training providers.

33. To inform individuals party to an application of the sharing of personal data, we will provide a privacy notice. This notice will inform individuals of the reason for sharing personal data, what data we intend to share and who we are sharing this information with.

Stakeholder analysis and consultation

34. There are a range of stakeholder groups involved in the project. These are:

  • Applicants applying to the register of letting agents - Those undertaking letting agency work as defined by section 61 of the 2014 Act will be required to register. Letting agencies come in different forms and maybe individual sole traders, partnerships, companies or a body with some other legal status. Those applying for registration will need to provide a variety of information (as indicated in paragraph 6 and 7) including personnel information to enable Scottish Ministers to determine whether they are a fit and proper person to be admitted to the Register.
  • Current and prospective private rented sector tenants - tenants and prospective tenants will be able to find out whether a particular letting agent is registered including their name, trading name if different from the legal entity, and business address. They will also be able to see the name, trading name, and business address of those who have been refused registration or removed from the register in the last 12 months. They will not have access to any other personal data.
  • Landlords using or looking to use a letting agent - landlords will be able to find out whether a particular letting agent is registered including their name, trading name if different from the legal entity, and business address. They will also be able to see the name, trading name, and business address of those who have been refused registration or removed from the register in the last 12 months. They will not have access to any other personal data.
  • Representative bodies (for example Association of Residential Letting Agents, Royal Institution of Chartered Surveyors, Council of Letting Agents, Law Society of Scotland, Scottish Association of Landlords) -
  • Their primary interest is in representing their members' interests, ensuring the system is administered effectively and is not unnecessarily burdensome. As previously indicated, some industry bodies may also be involved in the verification of certain information provided by applicants to help determine whether the applicant is a fit and proper person to be admitted to the register. This will also help to avoid unnecessary duplication e.g. for solicitors who have already been found to be fit and proper in relation to their profession.
  • Housing rights organisation and advice bodies (including Shelter Scotland, CRISIS, Citizens Advice Scotland) -They will be interested in the effective running of the system and are likely to search the register when considering and assisting with their clients' cases.
  • Local authorities (landlord registration and housing advice functions as well as their role in relation to trading standards) - interested in using the searchable register as part of administering the registration of landlords in their area. Local authorities may also be involved in the verification of information and the gathering of information to determine whether an applicant to the register of letting agents is fit and proper to be admitted.
  • Police - The Police may use the public register to verify the registration status of a particular letting agent. The Police may also be a source of information and evidence in determining an applicant's fit and proper person status.
  • First-tier Tribunal - Likely to use the public register to verify the registration status of a particular letting agent.
  • IT provider - Scottish Ministers intend to commission Registers of Scotland to hold the register, applicant information and to support administration of the system.

Detail the method used to consult with these groups when making the PIA.

35. We are involving stakeholders including letting agent, landlord and tenants representative groups, local authorities, housing rights and advice organisations throughout the implementation of the regulation of letting agents.

36. In March 2015 we consulted with our main stakeholders on the additional information (including personal data) that Scottish Ministers should collect in order to administer registration. The paper set out the existing legal requirements and considered what further information Scottish Ministers might wish to include and sought views from the Association of Residential Letting Agents ( ARLA), Chartered Institute of Housing ( CIH) Scotland, Citizens Advice Scotland ( CAS), CRISIS, Council of Letting Agents ( CLA), Law Society of Scotland, LetScotland, Edinburgh Private Tenants Action Group (now Living Rent: Scotland's Tenants' Union), National Union of Students ( NUS) Scotland, Royal Institution of Chartered Surveyors ( RICS), Scottish Association of Landlords ( SAL), Scottish Land and Estates and Shelter Scotland.

37. 11 responses were received from the group. Stakeholders suggested gathering a range of information that would help Scottish Ministers to effectively administer the register, including assessing whether an applicant was a fit and proper person and has met the prescribed training requirements. Responses were used to help draft registration regulations, which will set out in secondary legislation the additional information that must be provided as part of an application for registration. We subsequently also consulted key stakeholders on the draft regulations.

38. As part of our assessment of the privacy impact and risks in relation to letting agent registration we shared our draft privacy impact assessment with key stakeholders for their comments. Areas highlighted for further clarity/consideration included:

  • information to be made available to the public as part of an entry to the register;
  • public access to information in relation to those who have been refused registration or removed from the register; and
  • data loss or breach procedures.

39. Comments have been taken on board in this PIA.

40. We will continue to engage with relevant groups to inform our implementation. This will include specific engagement in the development of:

  • information/data sharing agreements;
  • the IT system and user testing.

41. We will update the PIA with any further data handling or privacy issues that arise as implementation progresses.

42. The PIA will be shared with key stakeholders.

Potential privacy issues

Involvement of multiple organisations

43. The registration of letting agents will involve a number of organisations in verifying information provided as part of an application as well as monitoring a registered letting agent's compliance with their legal requirements (see also paragraphs 30 to 33). Organisations likely to be involved include:

  • Registers of Scotland - who we anticipate holding the Register on behalf of Scottish Ministers
  • Local authorities ( LA) - LA will have a legislative interest in ensuring registered landlords are using a registered letting agent where they choose to use a commercial agent. In addition, we may work with local authorities in verifying information provided by applicants to determine whether they may be admitted to the register.
  • Police Scotland - data gathering and information verification in relation to the processing of applications, re-registrations and reviews of registered agents status.
  • Disclosure Scotland - verification of information relating to unspent convictions.
  • Accountant in Bankruptcy - verification of bankruptcy status through their public register.
  • First-tier tribunal - sharing of information relating to registered agents failing to comply with an enforcement order and verification of information relating to these cases.
  • Crown office and Procurator Fiscal Services - sharing of information in relation to the prosecution of offences under the 2014 Act.

Technology

44. We do not plan to make use of new or additional information technologies e.g. bio-metric identification.

Identification methods

45. Each successful applicant will be given a letting agent registration number. Under the 2014 act registered agents must include this number in all adverts and documentation. This number will indicate that they are a registered letting agent and be one way in which landlords, tenants and the general public can search the publically available register.

46. While the number will be linked to the application form, personal data will not be accessible to the public and will be restricted to those administering the registration process on behalf of Scottish Ministers.

47. The registration number will also be provided to local authorities by landlords who use a letting agent. This will indicate that a letting agent has been assessed by Scottish Ministers as being a fit and proper person and that they have met the prescribed training requirements.

48. Letting agent registration number will be used when considering a registered agents application to remain on the register - subject to data retention timescales indicated in paragraph 13.

Personal and sensitive personal data

49. The register of letting agents is a new register and personal data relating to individuals who need to be assessed as part of this process has not been collected or processed for this specific reason before.

50. Data collected to support the new mandatory Register of Letting Agents will include personal information for example, name, date of birth, home' addresses as well as information in relation to unspent offences, court proceedings, insolvencies etc. for the following individuals:

  • the most senior person within the applicant's organisation;
  • any other person who owns 25% or more of the business;
  • any other person otherwise who is (or is to be) directly concerned with the control or governance of the applicant's letting agency work.

51. The handling and security of this information may be of particular concern to the individuals involved.

52. Loss of an individual's personal data may place them at risk of identity fraud, potentially leading to disruption and financial loss for the individual.

53. Loss of personal sensitive data may negatively impact on both an individual's reputation and employment and their business' reputation. This in turn could lead to client loss and consequently financial loss.

54. Most letting agencies currently register under landlord registration, which was introduced by the Antisocial Behaviour (Scotland) Act 2004. Under this process an individual from their business will undergo checks to determine whether they are a fit and proper person to act as an agent for a registered landlord. Under the new regulatory framework commercial letting agents will need to apply to be admitted on to the Register of Letting Agents and, depending on their business structure, a number of individuals may need to provide personal information to enable a proper assessment of whether they are considered fit and proper to be admitted.

55. Landlords will still be required to notify landlord registration where they use a letting agent but it is expected that letting agent regulation will take the lead in considering whether the agent is a fit and proper person. In the majority of cases this will mean that landlord registration no longer requires to hold personal data for this purpose.

56. The registration processes and the IT system have yet to be developed, however, the intention is to cross-reference certain data e.g. name, date of birth, address, convictions as part of the verification of certain data. Some of this verification maybe done automatically through the IT system and others manually.

  • Local Authorities - LA will have an interest in ensuring registered landlords are using a registered letting agent where they have a commercial agent acting on their behalf. In addition, we may work with local authorities in verifying information provided by applicants to determine whether they may be admitted to the register. LA may also be a source of information relevant to the fit and proper person test. For example concerns about the management of HMO properties or complaints about standards of practice.
  • Police Scotland - data gathering and information verification in relation to the processing of applications, re-registrations and reviews of registered agents' status.
  • Disclosure Scotland - verification of information relating to unspent convictions.
  • Accountant in Bankruptcy - verification of bankruptcy status through their public register.
  • First-tier tribunal - sharing of information relating to registered agents failing to comply with an enforcement order and verification of information relating to these cases.

Data handling procedures

57. The application form and related processes are still to be finalised. As part of the development of these we are considering how we can ensure that individuals required to provide sensitive personal data (for example in relation to unspent convictions) can do so in a confidential way without needing to disclose this information unnecessarily to other people who are part of the same application.

58. In developing our formal data handling procedures we will ensure we take into account privacy issues to ensure personal data is handled appropriately and securely. For example, the use of information sharing protocols and agreements, penetration testing and other IT cyber security measures. We will update this impact assessment with further details once this aspect of implementation has been undertaken.

Security breach procedures

59. To ensure that the Scottish Government handles personal data appropriately and complies with its legal obligations under the Data Protection Act, the Scottish Government has developed a number of policies and procedures that will assist the Scottish Government to meet its legal obligations in relation to the holding and processing of data including:

  • Data Protection Policy;
  • Data Handling Policy;
  • Information Security Policy; and
  • Information Asset Owners handbook.

60. Where there is an unauthorised release of personal data, we will act in accordance with the Scottish Government procedures on handling a data breach.

61. In preparation for the register opening, registration staff training will include specific training on data handling and the procedures that should be followed should a data breach occur.

Contact

Email: PRS Regulation Team

Back to top