Landlords operating within the United Kingdom are subject to the provisions of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These laws govern the collection, use, storage, and disclosure of personal data relating to identifiable individuals, including tenants.

A recurring area of non-compliance arises where landlords, seeking to arrange maintenance or repairs, disclose tenant contact details to contractors or third parties without an appropriate legal basis. Such disclosure, even if well-intentioned, can amount to a breach of data protection legislation and expose the landlord to regulatory enforcement or civil claims.

Landlords as Data Controllers

Under Article 4(7) of the UK GDPR, a landlord is deemed a data controller in respect of any personal information processed about tenants. This status imposes specific legal duties, including ensuring that any processing of personal data is:

• Lawful, fair, and transparent;
• Limited to the purposes for which it was originally collected; and
• Restricted to the minimum amount of data necessary for those purposes.

When tenant information is passed to a maintenance contractor, the landlord remains responsible for ensuring that such processing complies with these principles.

Lawful Basis for Processing and Disclosure

A landlord may rely on one of several lawful bases for processing personal data. In maintenance situations, the most common are:

• Performance of a contract (for example, fulfilling obligations under the tenancy agreement to maintain the property in good repair); or
• Legitimate interests, where the landlord’s interest in arranging repairs is balanced against the tenant’s right to privacy.

However, reliance on a lawful basis requires that tenants are informed in advance of how their data may be used and shared. This is normally achieved through a privacy notice provided at the commencement of the tenancy.

The Role of the Privacy Notice

A compliant privacy notice must set out:

• What personal data will be collected;
• The purposes for which it will be used;
• The lawful basis for each use;
• The categories of third parties with whom data may be shared (for example, contractors, managing agents, or utility providers); and
• The tenant’s rights in relation to their personal information.

If the privacy notice does not specify that a tenant’s contact details may be shared with contractors, such disclosure will generally be unlawful unless fresh consent is obtained.

Best Practice in Maintenance Arrangements

The recommended approach is for the landlord or managing agent to act as the intermediary between the tenant and the contractor. Typically:

• The tenant reports a maintenance issue to the landlord or agent;
• The landlord arranges for a contractor to attend, agreeing access times with the tenant directly;
• The contractor is provided only with the information necessary to perform the task (for example, property address and time of appointment).

Direct disclosure of a tenant’s telephone number or email address should be avoided unless the tenant has expressly agreed, or there is a clear lawful basis for doing so.

Registration with the Information Commissioner’s Office (ICO)

Landlords who collect or store tenant information electronically are ordinarily required to register with the ICO and pay a modest annual data protection fee. Failure to register constitutes a breach of data protection law and can attract a fine of up to £4,000, in addition to any penalties arising from other infringements.

Consequences of Non-Compliance

Where a tenant submits a complaint, the ICO has the power to investigate and take enforcement action. Possible outcomes include:

• Formal reprimands and directions to implement remedial measures;
• Financial penalties proportionate to the severity of the breach; and
• Civil claims from tenants seeking compensation for distress or material loss resulting from the misuse of their data.

It is immaterial that the disclosure was made in connection with maintenance — the GDPR applies to all personal data processing activities without exception.

Conclusion

Landlords must approach data protection as an integral part of property management rather than an administrative afterthought. Compliance requires:

1. A valid lawful basis for processing tenant data;
2. A comprehensive and accurate privacy notice;
3. Appropriate controls over disclosure to contractors and third parties; and
4. Registration with the ICO where required.

Failure to meet these obligations can lead to regulatory enforcement, reputational damage, and financial loss. By adopting clear privacy procedures and maintaining transparency with tenants, landlords can fulfil their legal duties while ensuring maintenance is managed efficiently and lawfully.