- Solicitors For Business
- Solicitors For You
- About Us
- News & Events
Property Management and ICO Registration24th November 2020 Commercial Litigation
We have recently been approached by several property management clients with concerns caused by letters received from the Information Commissioner’s Office (ICO) indicating that they should be registered with the ICO and paying a relevant data protection fee. However, it is not unequivocally the case that all property managers must register.
The ICO letters received are not part of a, slightly poorly, targeted enforcement strategy and do not herald a particular investigation by the ICO. These were sent as part of the ICO’s small and medium-sized enterprises (SMEs) data protection fee campaign which launched in 2019. The ICO has been sending letters to all companies registered on Companies House (there were approximately 4.5 million limited companies registered in the UK in December 2019!) which are not registered with the ICO asking them to pay a data protection fee and register. The ICO is not considering whether or not the recipients of its letter have to register and is simply sending it to everyone. So, it appears that these letters are a bit of a scare tactic as they threaten penalties that will be incurred if the fee is not paid, which could be up to £4,000 on top of the registration fee.
However, in the case of property management companies, not all of them will need an ICO registration.
The obligation to register and pay a fee is set out regulations. According to these regulations, this obligation falls explicitly on Data Controllers. Data Processors and organisations that have no personal data are all exempt. On first glance, it might appear that a property management company would be a Data Controller, as its client, the property owner, will often hold little or no information and the property management company will deal with everything on its behalf. However, this misunderstands the roles of Data Controller and Data Processor.
A Data Controller, despite the title, is not the party in physical possession or direct control of the data. It refers instead to their capacity to decide how the data shall be handled, and by whom. Therefore, a Data Controller does not need to be in possession of personal data or even have day to day access to it. It is a Data Controller because it ultimately has the power to decide who will handle the relevant personal data on its behalf.
A property management company will usually not have that level of control and this will normally will be set out in the agreement between the manager and the owner. While a manager might handle the data for the owner often with little or no oversight, it does not in fact have a complete right to dispose of that data and the owner could, in principle, dispense with the services of the manager at any time, recover the personal data held by the manager, and then have a new manager process the date instead. It is this ability to replace the manager which makes the owner the Data Controller, rather than the manager.
Accordingly, a pure property management company will not be a Data Controller simply because it manages property for a property owner. However a property manager may be holding personal data in its own right as a Data Controller. So, if a property manager is managing property for individuals, rather than companies, then it will be holding their personal data and be a Data Controller in respect of it and this will trigger the requirement to register and pay the fee.
Each company needs to assess its situation on its specific circumstances and with reference to the data protection legislation, which is not particularly straightforward. JMW are able to advise on the respective rights and responsibilities of Data Controllers and Processors.