Yes. Registers can and often should be redacted if publishing them would disclose personal data unnecessarily or if there are reasonable grounds to withhold specific information.

STAIRs promotes openness, but it does not override UK GDPR principles such as data minimisation and confidentiality.

In practice, housing providers should:

• remove names, addresses, phone numbers, and other identifiers
• publish summaries or anonymised extracts instead of raw logs
• explain what information is held and how residents can request access through appropriate routes
• document and govern redaction decisions, with appropriate oversight

The aim is transparency about how systems operate and are overseen, not the exposure of individuals.

No. It does not normally require publishing every operational spreadsheet, working document or internal register.

The requirement is about transparency of governance and information flows, not exhaustive disclosure. In most cases, compliance is achieved by explaining:

• what registers exist
• what they cover
• why they are kept
• how people can request information from them through appropriate routes

You should avoid publishing anything that could compromise privacy, safety, or security or the effective operation of services. Some registers may be inappropriate to publish in any form and should instead be described at a high level.

Yes, time spent searching, retrieving, and preparing information can be counted when assessing whether the cost threshold is exceeded. However, after our discussions at the event we believe that this may easier said than done.

This may include:

• staff time across departments
• retrieving archived or off-site material
• consulting contractors or managing agents
• reviewing and redacting information

Housing providers should:

• estimate time realistically and reasonably
• record how calculations were reached
• apply thresholds consistently
• keep clear audit trails

Exceeding the threshold does not remove the need to act fairly. Providers should consider whether partial disclosure, advice or signposting is appropriate. Being able to evidence and explain the decision is essential.

Yes. DPIAs and information risk assessments should be built into your STAIRs framework, applied proportionately to higher-risk or novel disclosures.

They help you:

• assess risks before publishing datasets
• review existing disclosures
• Determine whether anonymisation or aggregation is required
• decide appropriate retention periods
• demonstrate accountability and defensible decision-making

Embedding privacy and risk assessment by design avoids having to retrofit controls later and provides a clear audit trail if decisions are questioned.

Yes, it usually reduces routine, repeated or clarification-based requests. Many requests arise simply because people cannot easily find information that already exists.

If residents can easily find policies, repairs data, complaints processes, and governance information, fewer people need to submit formal requests.

However:

• some personalised requests will still arise
• historic records may still be sought
• sensitive or complex cases will always need bespoke handling

STAIRs should be seen as reducing pressure and friction, not eliminating information requests entirely.

Yes. Training was one of the most common questions on the day.

Effective preparation often includes:

• STAIRs awareness sessions
• publication scheme workshops
• DPIA and risk assessment training
• Practical redaction exercises
• scenario based request handling

Organisations that invest early tend to embed compliance far more smoothly and consistently. Data Protection People offer training tailored toward the housing sector for STAIRs, including both ready-made programmes and bespoke sessions aligned to organisational needs.

Yes. Digital case management tools can make a significant difference, particularly where request volumes or organisational complexity are high.

They allow teams to:

• log requests centrally
• track statutory deadlines
• allocate and monitor tasks
• record decisions and rationales
• report trends and assurance information to boards

Good tooling supports defensibility, consistency and operational resilience, though it is not a prerequisite for STAIRs compliance.

DataWise is Data Protection People’s information management software designed to support anyone responsible for data protection. In our upcoming software update we will extend its capabilities to offer STAIRs request management.

No. Reports such as asbestos surveys or fire risk assessments do not usually need to be rewritten from scratch.

However, providers should recognise that such reports may or may not contain personal data. Even where names are not included within the reports, personal data can arise through indirect identifiers such as property references, photographs, annotations or location-specific detail.

However, providers should consider:

• removing or redacting personal data, including indirect identifiers where appropriate
• adding a short explanatory note to provide context
• checking whether technical detail creates safety or security risks
• redacting sensitive site layouts or access information

Any explanatory material should clarify context, not alter the substance of professional findings. Clarify and safety matter just as much as openness.

Yes, some activities may fall outside a provider’s core social housing functions, depending on how they are structured and governed.

These can include:

• purely commercial operations
• charitable arms operating independently
• subsidiaries or joint ventures
• community projects delivered separately from housing services

Each organisation should map its structure carefully and document what is and is not in scope for STAIRs, including the rationale for those decisions.

No, full unredacted minutes are not usually appropriate for publication.

Good practice is to:

• publish high-level summaries or extracts
• protect confidential and commercially sensitive discussions
• remove personal data
• explain clearly what information is withheld and why

The aim is transparency and assurance about governance, balanced with legal, fiduciary and confidentiality obligations.

STAIRs complaints relate to access to information and transparency, rather than service delivery, and are therefore handled outside the Housing Ombudsman Complaint Handling Code.

A response timeframe of up to 30 calendar days is appropriate for STAIRs complaints.

This reflects the time needed to locate information, consider redactions, assess risk, consult where necessary, and document decisions properly.

Where additional time is required due to complexity, this should be explained clearly and managed in line with the organisation’s published STAIRs process.

If a resident is dissatisfied with the provider’s response to a STAIRs complaint or review, they may escalate the matter to the Housing Ombudsman Service under the terms of the Housing Ombudsman Scheme, once the provider’s internal process has been exhausted.

Complaints are normally expected to be referred within 12 months of the provider’s final response. Responses to STAIRs complaint reviews should clearly confirm when the internal process has concluded and explain the resident’s right to access the Housing Ombudsman scheme and how to do so.

Yes. All attendees will receive the presentation decks during the event.

If you did not attend the event and would still like a copy of the presentations shared on the day, you can:

• speak to any member of the team
• email info@dataprotectionpeople.com
• request them through our Contact Us page
• Click on the button below to download via WeTransfer

We are very happy to share the materials.

If you enjoy these kind of discussions, the Data Protection Made Easy podcast is where many of them continue long after these events take place.