Beware software with no delete function

You may have missed the fine of €14½ million imposed by the data protection authority of Berlin on Deutsche Wohnen SE, a property management company who were found to use software systems that do not allow for the deletion of data. This regulatory action resonated with the Outsourced DPO because it is a situation he has come across countless times in the UK’s social housing industry.

The similarities are striking. Deutsche Wohnen SE was found to be holding data on the personal and financial circumstances of tenants, salary certificates, self-disclosure forms, extracts from employment and training contracts, tax, social and health insurance data as well as bank statements. They were warned by the Berlin data protection authority in 2017 to make amends and despite having made some preparations to correct the situation were found in March 2019 to have insufficient measures in place to demonstrate compliance with both Article 5 of the GDPR (data retention) and Article 25(1) relating to privacy by design and by default.

During a recent compliance audit of a large housing association, the Outsourced DPO was critical of the customer’s housing management and document management systems for not allowing for data to be erased. The Outsourced DPO rated the housing association’s compliance with the 5th data protection principle as “non-compliant” and advised urgent corrective action.

Personal data was found dating back to the mid-1990s including transcripts of conversations, bank statements, survey forms, correspondence about repairs and maintenance, scanned copies of passports, bank statements, medical forms etc. The retention of most of this historic information could not be satisfactorily justified to the Outsourced DPO and, in his opinion represents a ticking time bomb that the housing association is making insufficient effort to defuse! It won’t take much to trigger an explosion either – a subject access request followed by an erasure request or objection to processing will undoubtedly flush out all of this historic information and the housing association’s inability to erase it.

The social housing industry needs to be cognisant of the Berlin fine and apply collective pressure on their software vendors to correct this major flaw in their systems.

For more information about DPP’s Outsourced DPO Service please refer to our website or contact [email protected]

Phillip Brining