STAIRs: What Housing Associations Need to Know

Social Tenant Access to Information Requirements (STAIRs): What Housing Associations Need to Know

From October 2026, social housing providers in England will face a new statutory transparency framework known as the Social Tenant Access to Information Requirements, commonly referred to as STAIRs. The regime introduces formal rights for tenants of housing associations and other private registered providers to access information about how their homes and services are managed.

STAIRs represents a significant shift for the sector. While transparency has long been encouraged through good governance and tenant engagement, STAIRs makes information access a legal requirement, with defined timescales, oversight, and routes of escalation.

Housing providers now have a clear window to prepare. The decisions made over the next 12 to 18 months will shape how smoothly organisations adapt to this change.

What is STAIRs and why was it introduced?

STAIRs was created to address an imbalance in tenant information rights across the social housing sector.

Tenants renting from local authorities already benefit from the Freedom of Information Act 2000. This allows them to request recorded information about repairs, spending, decision making, policies, and service performance.

Most housing associations, however, are private registered providers and are not subject to FOIA. As a result, their tenants have historically relied on data subject access requests under data protection law, which only provide access to personal data, not wider operational or service information.

STAIRs closes this gap by introducing a sector specific transparency regime. Rather than extending FOIA to housing associations, it creates a tailored framework that focuses on the management of social housing while recognising the need to protect personal data, confidential material, and third party information.

As Catarina Santos, Data Protection Consultant Manager, explains:

“STAIRs is not about opening the floodgates to unrestricted disclosure. It is about giving tenants meaningful visibility of how their homes and services are managed, while ensuring information is handled lawfully, consistently, and with appropriate safeguards in place.”

Importantly, STAIRs does not replace or override existing data protection law. UK GDPR and the Data Protection Act 2018 continue to apply in full. Providers must balance transparency with their ongoing legal obligations around privacy, confidentiality, and security.

How the STAIRs framework works

STAIRs is built around two core obligations, each with its own timeline and operational impact.

Chapter 1: Publication schemes

Deadline: 1 October 2026

By October 2026, all registered providers of social housing must have a compliant publication scheme in place. This is the first major milestone under STAIRs.

A publication scheme sets out what information a provider proactively makes available and how tenants can access it.

What information must be published?

STAIRs does not require providers to create new records. Instead, it focuses on publishing appropriate information that is already held, including:

• Governance and decision making, such as organisational structures, policies, consultation arrangements, and relevant meeting papers
• Spending and financial information, including grants and the use of service charge income
• Housing stock management, including maintenance programmes, planned works, and progress towards net zero commitments
• Performance information, such as Tenant Satisfaction Measures, complaints data, inspection outcomes, and regulatory ratings
• Housing services, including service descriptions and practical guidance for tenants
• Statutory lists and registers connected to social housing management

Accessibility and tenant awareness

Publication schemes must be easy to find and clearly communicated. Providers are expected to signpost them through websites, tenant handbooks, and regular communications.

Maintenance and redaction

Published information must be kept under review. Out of date material should be updated or replaced, and new information added where relevant.

Redactions are permitted where appropriate and reasonable, but decisions must be justifiable and applied consistently.

Complaints and escalation

If a tenant believes information has been wrongly withheld from the publication scheme, they can complain to the provider. Providers must respond within 30 calendar days. If the issue remains unresolved, tenants can escalate to the Housing Ombudsman.

Chapter 2: Requests for information

Effective from April 2027

From April 2027, tenants will have a legal right to request information relating to the management of social housing.

What information can be requested?

Requests may cover information about:

• Rent and service charges
• Repairs and maintenance
• Estate and communal area management
• Complaints handling and performance
• Health and safety
• Staffing and training
• Environmental and energy efficiency performance

Requests must relate to a provider’s social housing functions.

Who can make a request?

Requests can only be made by a tenant or a nominated representative acting on their behalf. Requests must be made in writing, and the applicant’s identity must be clear.

Response times and handling

Providers must respond promptly and no later than 30 calendar days after receiving a valid request. Extensions are only permitted in limited and exceptional circumstances.

Where information is already available via the publication scheme, providers may direct tenants to that material.

If relevant information is held by a managing agent or third party, providers are expected to make reasonable efforts to obtain and disclose it.

As Caine Clancy, Data Protection Support Manager, notes:

“One of the biggest practical challenges we see is distinguishing between what should already be published and what genuinely requires a bespoke response. Clear internal processes and staff confidence are essential to avoid delays and inconsistencies.”

Grounds for refusal

Requests may be refused where:

• Disclosure would be likely to cause harm, excluding reputational harm
• The requester’s identity cannot be verified
• The request is unclear, irrelevant, abusive, repeated, or coordinated
• Compliance would exceed 18 hours of staff time

Providers must publish a clear policy explaining how refusal decisions are assessed and recorded.

Data protection and STAIRs: Getting the balance right

STAIRs introduces enforceable transparency obligations, but it does not dilute data protection responsibilities.

Personal data, sensitive information, and third party material must still be handled lawfully, fairly, and securely. This makes governance, data classification, and redaction standards critical.

Housing providers that already have strong information governance frameworks will be better placed to adapt. For others, STAIRs highlights gaps that may not previously have been visible.

Learning from early adopters in the housing sector

Some housing associations have already begun preparing for STAIRs by mapping their information holdings, reviewing governance documentation, and trialling publication scheme structures.

At the upcoming STAIRs session on 5 February, practical insight will be shared by Sian Green from Yorkshire Housing, one of the organisations that moved early to understand the operational impact of the standard.

This perspective is particularly valuable for providers that are now starting their own STAIRs journey and want to understand what preparation looks like in practice rather than theory.

What housing providers should be doing now

Although the first formal deadline is October 2026, effective preparation takes time. Key early steps include:

• Building internal awareness of what STAIRs is and how it differs from data protection rights
• Identifying information that is likely to fall within the publication scheme
• Reviewing existing governance, complaints, and information handling processes
• Clarifying ownership for STAIRs compliance across teams
• Considering how tenants will be informed about their new rights

Early action reduces the risk of rushed implementation and helps embed transparency into day to day operations rather than treating STAIRs as a last minute compliance exercise.

Join the STAIRs discussion on 5 February

STAIRs raises practical questions that go beyond legislation, from handling complex requests to maintaining publication schemes over time.

On 5 February 2026, Data Protection People will be hosting a live STAIRs session featuring Catarina Santos, Caine Clancy, and special guest Sian Green from Yorkshire Housing. The session will explore real questions being raised by housing associations across the UK and how providers can prepare confidently and proportionately.

The session will be recorded, and access to the information shared by the speakers will be made available afterwards. However, those who join live will have the opportunity to hear the discussion as it happens and engage with the issues in real time.

For housing providers navigating STAIRs, this session offers a chance to deepen understanding, learn from peers, and stay ahead of the standard.

If you would like to join us live for this in-person session, you can secure your ticket here –The Next Step: Preparing for STAIRs

New UK Cyber Action Plan: What It Means for Public Services and Data Protection

New UK Cyber Action Plan: What It Means for Public Services and Data Protection

The UK government has announced a new Cyber Action Plan aimed at tackling growing cyber threats and strengthening the resilience of public services. The plan responds to increasing cyber attacks on councils, healthcare providers, and other public bodies that hold large volumes of sensitive personal data.

For organisations across the public sector, this announcement reinforces a clear message. Cyber security is no longer just an IT issue. It is a core data protection and governance responsibility.

Why This Matters Now

Cyber attacks against public services are rising in both frequency and impact. Recent incidents have disrupted councils, NHS organisations, and critical infrastructure, affecting millions of people.

The government has acknowledged that cyber threats now pose a direct risk to service delivery, public trust, and personal data security. The new Cyber Action Plan aims to reduce that risk by improving prevention, response, and accountability across the public sector.

From a data protection perspective, this matters because most cyber incidents involve personal data. When systems fail, individuals can suffer financial loss, identity theft, or loss of access to essential services.

What the New Cyber Action Plan Sets Out

The Cyber Action Plan focuses on strengthening defences across public services and supporting organisations that are most exposed to cyber threats.

Key areas of focus include:

• Improving cyber resilience across public sector bodies
• Strengthening incident response and recovery capabilities
• Reducing reliance on outdated and vulnerable systems
• Supporting organisations to meet minimum cyber security standards
• Improving collaboration between government, regulators, and security agencies

The plan also highlights the role of leadership. Senior decision-makers will be expected to take greater responsibility for cyber risk and data protection.

Cyber Security and Data Protection Are Linked

Cyber security and data protection cannot be separated. UK GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data.

A failure to prevent or respond to a cyber attack can quickly become a personal data breach. This can trigger regulatory investigations, enforcement action, and reputational damage.

The Cyber Action Plan reinforces the importance of:

• Strong access controls and monitoring
• Regular patching and system updates
• Secure configuration of systems handling personal data
• Clear accountability for cyber risk at senior level

These measures directly support compliance with UK GDPR’s security and accountability principles.

What This Means for Public Sector Organisations

Public bodies should view the Cyber Action Plan as a call to action. Organisations will be expected to demonstrate that they take cyber risk seriously.

This includes understanding what personal data they hold, where it is stored, and how it is protected. It also means preparing for incidents, not just reacting to them.

Key steps organisations should consider include:

• Reviewing cyber security and data protection governance
• Carrying out risk assessments and DPIAs for high-risk systems
• Testing incident response and business continuity plans
• Ensuring staff receive regular cyber and data protection training
• Engaging senior leaders in cyber risk ownership

Our GDPR Audits and Data Protection Support services help public bodies identify gaps and strengthen resilience.

Regulatory Expectations and Enforcement

Regulators have made it clear that cyber incidents will be assessed through a data protection lens. Where organisations fail to implement appropriate security measures, enforcement action may follow.

The ICO has repeatedly stated that poor cyber security can amount to a breach of UK GDPR. The Cyber Action Plan supports this position by emphasising prevention, accountability, and preparedness.

Organisations that cannot evidence effective controls, training, and governance may struggle to defend their position following an incident.

Our View

At Data Protection People, we welcome the Cyber Action Plan. It recognises that cyber resilience is essential to protecting personal data and maintaining public trust.

However, strategy alone is not enough. Real improvement comes from practical action. Organisations must move beyond policy documents and ensure controls work in practice.

You Should embed Cyber Security into everyday operations, decision-making, and culture. When organisations treat cyber risk as part of data protection governance, they are far better placed to prevent harm.

FAQs

Does the Cyber Action Plan replace UK GDPR obligations?

No. UK GDPR still applies. The plan supports and reinforces existing data protection duties.

Who does the plan affect?

The plan focuses on public services, but its principles apply to any organisation handling sensitive personal data.

What should organisations do first?

Start by reviewing cyber risks, governance, and incident response arrangements.

Contact Us

If your organisation needs support strengthening cyber resilience or meeting data protection obligations, our team can help. We offer Data Protection Support, GDPR Audits, and Training to make compliance practical and effective. Contact us today.

Source

UK Government, “New cyber action plan to tackle threats and strengthen public services”.

UK-EU Cyber Dialogue: Strengthening Joint Cybersecurity Cooperation

UK-EU Cyber Dialogue: Strengthening Joint Cybersecurity Cooperation

The third UK-EU Cyber Dialogue took place in Brussels on 9 and 10 December 2025, bringing senior officials from the United Kingdom and the European Union together to advance cooperation on cyber security policy, regulatory alignment and operational resilience. Held under the framework of the UK-EU Trade and Cooperation Agreement, this annual dialogue reinforces shared priorities in an increasingly complex cyber threat landscape.

What’s New / What Happened

The third UK-EU Cyber Dialogue was co-chaired by officials from both sides, including Andrew Whittaker from the UK Foreign, Commonwealth & Development Office and Irfan Hemani from the UK Department for Science, Innovation and Technology. On the EU side, Maciej Stadajek from the European External Action Service and Christiane Kirketerp de Viron from the European Commission led discussions. Representatives from the UK National Cyber Security Centre, the Home Office and key EU agencies such as Europol and ENISA also participated.

Both parties agreed to hold the next Cyber Dialogue in London in 2026, continuing the annual tradition of structured engagement on mutual cyber security priorities.

Why This Matters for UK Organisations

The UK-EU Cyber Dialogue plays a strategic role in aligning cyber policy and resilience efforts between two major global economies. Given the interconnected nature of cyber threats, including ransomware, state-sponsored attacks and supply-chain vulnerabilities, coherent and coordinated approaches help to minimise disruption and support cross-border trade and investment.

Key areas of focus at the third Cyber Dialogue included:

• Exchanging views on current and emerging cyber threat landscapes, including deterrence strategies and incident response cooperation.
• Discussing approaches to align cyber security legislation while seeking to reduce unnecessary compliance burdens on industry.
• Countering cybercrime including ransomware and other malicious activities that impact businesses and individuals alike.
• Enhancing cyber capacity building and mechanisms for crisis coordination across jurisdictions.
• Promoting responsible state behaviour in cyberspace, referencing discussions at multilateral forums such as the United Nations.

For UK organisations, these dialogues are not just diplomatic events: they shape the future of cyber policy frameworks that affect regulatory expectations, cross-border incident response cooperation and compliance strategies for private and public sector entities alike.

What You Should Be Doing Now

UK organisations should view the Cyber Dialogue outcomes as part of a broader trend toward deeper cyber cooperation with the EU. Practical steps to prepare and align your organisation include:

• Review your cyber risk management framework – Ensure it reflects current threat intelligence and aligns with emerging UK and EU policy trends.
• Update incident response plans – Confirm processes are compatible with cross-border cooperation and reporting expectations under UK and EU regimes.
• Check regulatory compliance -Monitor EU cyber regulation developments (such as the Cyber Resilience Act and NIS2 Directive) and assess their relevance to UK operations, especially for organisations operating in or trading with the EU.
• Train security and compliance teams -Ensure staff understand how cooperative frameworks may affect risk profiling, regulatory expectations and incident escalation workflows.
• Engage with sector bodies -Participate in industry cyber forums or public consultations to shape policy and better understand implementation expectations.

Our View / Final Thoughts

The third UK-EU Cyber Dialogue underscores the importance of structured cooperation in a domain where threats are transnational, rapid and constantly evolving. Both sides have reaffirmed a shared commitment to proactive cyber security, legislative alignment and resilience building. For UK organisations, staying informed about these engagements helps to ensure that internal cyber policies, incident response strategies and compliance frameworks are fit for a world where digital threats do not respect borders.

Looking ahead, the planned 2026 dialogue in London offers an opportunity for UK stakeholders to deepen engagement, share lessons from implementation of cyber resilience initiatives and focus on practical, interoperable measures that support resilient digital infrastructure for businesses and citizens alike.

FAQs

What is the UK-EU Cyber Dialogue?

The UK-EU Cyber Dialogue is an annual meeting under the UK-EU Trade and Cooperation Agreement where senior officials exchange views on cyber policy, capacity building, deterrence strategies and regulatory approaches to strengthen mutual cyber security cooperation.

Who participates in the Cyber Dialogue?

The dialogue brings together representatives from government departments and agencies responsible for cyber security, digital policy and law enforcement from both the UK and the EU.

Does this affect UK law?

While the Cyber Dialogue itself does not change UK law, it influences policy alignment, best practice adoption and cooperative incident response expectations between the UK and EU. Organisations operating cross-border should consider how evolving standards may shape compliance landscapes.

Will future dialogues have practical outcomes?

Yes. Future dialogues are expected to build on shared priorities, focusing on areas such as cyber crime deterrence, capacity building, regulatory convergence and coordinated crisis response mechanisms.

References and Useful Sources

• UK Government: The third UK-EU Cyber Dialogue took place in Brussels
• EEAS: EU-UK Third Cyber Dialogue
• DataGuidance: EU and UK hold third Cyber Dialogue
• EU Commission: Cybersecurity Policies and Cooperation

US Travel Proposal Raises Data Protection Concerns for UK Tourists

US Travel Proposal Raises Data Protection Concerns for UK Tourists

UK tourists planning a trip to the United States may soon face new and far-reaching data collection requirements. A proposal published by US authorities suggests that visitors from visa waiver countries, including the UK, could be required to provide up to five years of social media history as part of the ESTA application process.

While the proposal is framed as a security measure, it raises important questions about privacy, digital rights, and proportionality. For UK individuals and organisations, it also highlights the growing tension between border security and personal data protection.

Why This Matters Now

The proposal comes as the US prepares for a major increase in international visitors. The country will host the men’s football World Cup in 2026 and the Olympic Games in Los Angeles in 2028.

Since returning to office in January, President Trump has placed renewed focus on border control and national security. Expanded data collection has become a key part of that approach.

For UK travellers, this could mark a significant change. Social media profiles often reveal political opinions, beliefs, associations, and details of private life. Requiring years of online activity for short-term travel raises questions about fairness and necessity.

Under UK GDPR principles, collecting this volume of personal data would require strong justification. Transparency and proportionality would be essential.

What the Proposal Includes

The proposal was submitted by the US Department of Homeland Security and Customs and Border Protection. It was published in the Federal Register and is now open for public consultation.

If implemented, ESTA applicants could be asked to provide:

• Social media information covering the last five years
• Telephone numbers used during the last five years
• Email addresses used over the last ten years
• Additional information about family members

The proposal does not explain how social media content would be assessed. It also does not clarify which platforms would be included or how long the data would be stored.

US authorities have stated that this is not a final rule. Public feedback will be accepted for 60 days.

Privacy and Digital Rights Risks

Digital rights organisations have warned that mandatory social media disclosure could cause significant civil liberties concerns. Social media content is rarely clear or objective. Posts are often informal, emotional, or taken out of context.

There is also a risk of profiling. Applicants could face delays or refusals based on lawful expression or misunderstood online activity.

From a data protection perspective, the key concerns include:

• Limited transparency around decision-making
• Unclear data retention and sharing practices
• The impact on third parties named or shown in posts
• Pressure on individuals to self-censor online

These risks reflect earlier criticism of social media vetting for student and work visas.

International Data Transfers and UK GDPR

UK GDPR does not apply directly to US border authorities. However, the proposal still has implications for UK organisations.

Employees travelling to the US may share information connected to their professional lives. Personal social media accounts often overlap with work networks and communications.

This reinforces the importance of data minimisation. UK GDPR requires organisations to collect only what is necessary. Reviewing five years of social media for short-term tourism would likely face strong scrutiny in the UK.

What UK Travellers Should Consider

The proposal is still under consultation. However, travellers should stay informed and cautious.

• Review privacy settings on social media platforms
• Avoid sharing unnecessary personal information publicly
• Follow official guidance before submitting extra data
• Be alert to scams using the proposal as a pretext

Any request for information should come only through official US government channels.

What This Means for Organisations

UK organisations with staff travelling to the US should take note. Increased scrutiny of online activity can expose business-related information.

Organisations should consider:

• Reviewing travel and data protection policies
• Providing staff guidance on digital footprints
• Assessing how business information appears online
• Supporting staff who raise privacy concerns

Our Data Protection Training and Data Protection Support services help organisations manage these evolving risks.

Our View

At Data Protection People, we see this proposal as part of a broader shift towards digital surveillance at borders. While security is important, broad data collection must remain fair, necessary, and proportionate.

Our Data Protection Consultant Manager, Catarina Santos, shares her view:

“As a data protection consultant, this proposal makes me uneasy – not for political reasons, but legal and rights-based ones.

Asking ordinary tourists for five years of social media activity feels like a significant shift from identity checks to judgement of expression and behaviour. Social media content is messy, contextual, and often misunderstood. Treating it as a reliable risk signal is questionable at best.

The concern isn’t whether states can protect their borders – they can and should – but whether collecting such broad personal data is necessary, fair, and proportionate for short-term visitors who have no real ability to challenge decisions or understand how their data is assessed.

Once governments normalise this level of digital scrutiny for travel, it’s hard to see where the line is drawn next.”

This development shows why strong data protection principles matter, even beyond UK and EU borders.

FAQs

Is this ESTA requirement confirmed?

No. The proposal is still under consultation and has not been approved.

Would UK travellers be affected?

Yes. UK citizens use ESTA, so any changes would apply to them.

Does UK GDPR protect travellers here?

UK GDPR does not apply to US authorities. It does, however, highlight how unusual this level of data collection would be in the UK.

What should organisations do now?

Organisations should monitor developments and review travel, privacy, and staff guidance.

Contact Us

If your organisation needs support managing international data risks or staff travel policies, our team is here to help. We provide Data Protection Support and Training to keep data protection clear and practical. Contact us today.

Source

BBC News, report on proposed changes to ESTA data collection requirements for tourists.