Residential landlords collect more personal data than many realise.
A landlord may hold a tenant’s name, address, phone number, email address, date of birth, bank details, employment information, references, guarantor details, ID documents, right-to-rent evidence, rent statements, repair reports, complaint records, arrears history, photographs, inspection notes and sometimes CCTV footage.
That information is not just “paperwork”. It is personal data.
That means landlords need to think carefully about how they collect it, use it, store it, share it and eventually delete it.
Why this matters
Data protection law is often misunderstood by landlords. Some assume it only applies to large companies, technology businesses or organisations with thousands of customers.
That is not correct.
The UK’s data protection legislation controls how personal information is used by organisations, businesses and government departments. A landlord who handles tenant data for rental business purposes may have data protection responsibilities.
The ICO says individuals have the right to be informed about the collection and use of their personal data, including the purposes for processing, retention periods and who the data will be shared with. This information is commonly called privacy information.
For landlords, this usually means having a clear privacy notice.
What is a landlord privacy notice?
A privacy notice explains how the landlord uses personal data.
It should be written in clear, straightforward language and given to applicants, tenants, guarantors and possibly other occupiers where relevant.
A good privacy notice should explain:
- who the landlord is;
- what personal data is collected;
- why the data is collected;
- the lawful basis for using it;
- who the data may be shared with;
- how long the data may be kept;
- what rights the person has;
- how the person can contact the landlord;
- how to complain if they are unhappy.
The ICO says privacy information must be provided at the time personal data is collected from the individual.
That means landlords should not wait until there is a dispute. Privacy information should be part of the normal letting process.
What tenant data do landlords collect?
A landlord may collect data at several stages.
1. Enquiry and viewing stage
This may include:
- name;
- phone number;
- email address;
- preferred move-in date;
- household size;
- basic affordability information;
- viewing availability;
- accessibility needs;
- pet information.
Even before a tenancy exists, the landlord may already be processing personal data.
2. Application and referencing stage
This may include:
- current address;
- previous addresses;
- employment details;
- income information;
- credit check information;
- landlord references;
- employer references;
- guarantor details;
- identity documents;
- right-to-rent evidence.
This stage can involve particularly sensitive or high-risk information because it may include financial data and identity documents.
3. Tenancy set-up
This may include:
- tenancy agreement details;
- deposit information;
- rent payment details;
- next of kin or emergency contact details;
- utility information;
- household members;
- permitted occupiers.
Landlords should only collect information that is genuinely needed.
4. Tenancy management
This may include:
- repair reports;
- photographs of damage or condition;
- inspection notes;
- rent statements;
- arrears correspondence;
- complaints;
- anti-social behaviour reports;
- neighbour complaints;
- contractor communications;
- notices served;
- records of access arrangements.
Some tenancy management records may contain information about other people too, such as neighbours, visitors, contractors or family members.
5. End of tenancy
This may include:
- checkout reports;
- deposit deductions;
- forwarding address;
- rent arrears;
- utility closure information;
- dispute records;
- correspondence after the tenancy ends.
Data protection duties do not end the day the tenant moves out.
The data protection principles landlords should know
The ICO’s guidance explains the UK GDPR data protection principles, which are central to how organisations should handle personal data. For landlords, the most practical principles are these.
1. Lawfulness, fairness and transparency
Landlords need a valid reason for using tenant data, and they should be open about what they are doing.
For example, it is usually reasonable to collect tenant contact details to manage a tenancy. It may not be reasonable to collect excessive personal information that has no clear purpose.
2. Purpose limitation
Data should be collected for a specific purpose and not reused in unexpected ways.
For example, using a tenant’s phone number to arrange repairs is expected. Adding the tenant to unrelated marketing lists without proper consent or another lawful basis may not be.
3. Data minimisation
Landlords should not collect more information than they need.
If a landlord only needs to confirm that an applicant has a right to rent, they should be careful about copying or retaining excessive documents unnecessarily.
4. Accuracy
Tenant records should be accurate and kept up to date where necessary.
Incorrect arrears records, wrong contact details or outdated guarantor information can create serious problems.
5. Storage limitation
Data should not be kept forever.
Landlords should decide how long different types of records need to be retained and should delete or anonymise data when there is no longer a good reason to keep it.
6. Security
Landlords should keep tenant data secure.
That means thinking about passwords, email security, paper files, cloud storage, shared devices, contractor access and agent systems.
7. Accountability
Landlords should be able to show that they have taken data protection seriously.
This does not necessarily mean creating complicated corporate policies. But it does mean having sensible records, clear procedures and evidence of good practice.
Why privacy notices matter
A privacy notice is often the simplest way to show transparency.
Without one, tenants may not know:
- why their data is being collected;
- how long it will be kept;
- whether it will be shared with agents or contractors;
- whether it will be used for referencing;
- whether it will be shared with insurers, solicitors, councils or deposit schemes;
- how to make a data request.
A privacy notice also helps landlords think clearly about their own systems. If the landlord cannot explain why a piece of information is being collected, that may be a sign that it should not be collected.
Who might landlords share data with?
Landlords may need to share tenant data with:
- letting agents;
- referencing agencies;
- deposit protection schemes;
- maintenance contractors;
- gas engineers;
- electricians;
- inventory clerks;
- insurers;
- mortgage lenders;
- solicitors;
- courts;
- local authorities;
- police or emergency services;
- utility providers;
- freeholders or managing agents;
- debt recovery agents.
Sharing data is not automatically wrong. But it should be necessary, proportionate and explained in the privacy notice.
For example, giving a contractor a tenant’s phone number to arrange a repair may be reasonable. Sending an entire tenancy file when only an appointment time is needed may not be.
Data retention: how long should landlords keep records?
One of the hardest questions is how long to keep tenant data.
There is no single retention period that applies to every document. Landlords need to think about the purpose of each record.
A practical retention approach might include:
| Type of record | Possible reason for keeping |
|---|---|
| Tenancy agreement | Evidence of contract terms |
| Deposit protection documents | Deposit disputes and compliance evidence |
| Rent statements | Accounting, arrears and tax records |
| Repair records | Disrepair claims, safety duties and property history |
| Gas and electrical safety records | Statutory compliance evidence |
| Right-to-rent checks | Immigration compliance evidence |
| Complaint records | Dispute handling and evidence |
| Applicant data where no tenancy is granted | Referencing and decision records for a limited period |
| ID documents | Only where genuinely necessary and not longer than needed |
The important point is that landlords should not simply keep everything indefinitely.
A good retention policy does not need to be complicated. It can be a clear table explaining what is kept, why it is kept and when it will be deleted.
Applicant data: a hidden risk
Many landlords focus on tenants but forget unsuccessful applicants.
If ten people apply for a property and only one becomes the tenant, the landlord may still hold personal data about the other nine.
That information might include income details, employment information, references, pet details, household information and contact details.
Landlords should decide how long unsuccessful applicant data is needed. In many cases, it should not be kept for long unless there is a clear reason, such as handling a complaint or showing why a decision was made.
Identity documents and right-to-rent checks
Identity documents are high-risk records.
Passports, biometric residence permits, share codes and right-to-rent evidence should be handled carefully. They should be stored securely, accessed only by people who need them and deleted when there is no longer a lawful reason to keep them.
Landlords should also avoid collecting more identity information than necessary.
A casual photo of a passport stored in a personal phone camera roll is not good practice.
Repairs, photographs and inspections
Landlords often take photographs during inspections or repairs.
Photos can be useful evidence, but they may also capture personal belongings, children’s items, medication, religious items, financial documents or other private information.
Landlords should:
- avoid photographing unnecessary personal items;
- explain why photos are being taken;
- store inspection images securely;
- avoid sharing images casually by messaging apps;
- delete images when no longer needed.
Repair records can also reveal personal information, particularly where repairs relate to disability, health, family circumstances or vulnerability.
Arrears and complaints
Rent arrears and complaints should be handled carefully.
A landlord may need to keep arrears records, but those records should be accurate and not shared unnecessarily. For example, discussing a tenant’s arrears with neighbours, employers or unrelated third parties could create serious data protection and confidentiality issues.
Complaints should also be recorded professionally. Internal notes should be factual and appropriate. Landlords should remember that tenants may have the right to request copies of their personal data.
Subject access requests
Tenants, former tenants, applicants and guarantors may ask for copies of personal data held about them. This is commonly known as a subject access request.
Landlords should know how to recognise and respond to one.
A request does not need to use formal legal language. A tenant saying, “Please send me all the information you hold about me,” may be enough.
Landlords should:
- identify what data is held;
- search emails, documents, messages and files;
- avoid deleting data because a request has been made;
- consider whether third-party data needs to be redacted;
- respond within the required timeframe;
- keep a record of the response.
Security: where landlord records go wrong
Tenant data can be lost or exposed in everyday ways.
Common risks include:
- tenant documents stored in personal email accounts;
- ID documents saved in phone photo galleries;
- paperwork left in cars;
- spreadsheets without passwords;
- old laptops with tenancy records;
- sharing full tenant files with contractors;
- using weak passwords;
- failing to remove an ex-agent’s access;
- sending emails to the wrong tenant;
- printing documents and not disposing of them securely.
Good security does not always require expensive systems. It starts with sensible habits.
What should a landlord privacy notice include?
A landlord privacy notice should usually cover:
- landlord name and contact details;
- categories of personal data collected;
- purposes for using the data;
- lawful bases for processing;
- who data may be shared with;
- whether data is transferred outside the UK;
- retention periods;
- tenant rights;
- complaint rights;
- how to contact the landlord about data protection.
It should be clear enough for a tenant to understand without legal training.
Why the Renters’ Rights Act makes data records more important
The Renters’ Rights Act increases the importance of written information, notices, evidence, complaint handling and formal tenancy management.
That creates more records, not fewer.
Landlords may need to keep better evidence of:
- tenancy terms;
- information sheets;
- rent increase notices;
- possession grounds;
- repair reports;
- pet requests;
- complaints;
- decisions about applicants;
- communications with tenants;
- council or ombudsman correspondence.
This makes privacy notices and retention policies more important. The more records landlords create, the more carefully they need to manage them.
Common landlord mistakes
1. Having no privacy notice
A landlord who collects tenant data should be able to explain how it is used.
2. Keeping everything forever
Old applicant files, ID documents and outdated tenancy records should not be kept indefinitely without reason.
3. Collecting excessive information
Landlords should only collect what they genuinely need.
4. Sharing too much with contractors
A contractor may need a tenant’s phone number and address. They usually do not need a full tenancy file.
5. Storing ID documents insecurely
Identity documents need stronger protection than routine correspondence.
6. Forgetting guarantors and applicants
Data protection duties are not limited to current tenants.
7. Using personal devices carelessly
Tenant data stored on phones, laptops and personal email accounts still needs to be protected.
Practical checklist for landlords
Landlords should:
- create a clear privacy notice;
- give privacy information at the start of the letting process;
- list what tenant data they collect;
- identify why each item of data is needed;
- avoid collecting unnecessary information;
- store ID documents securely;
- limit access to tenant files;
- review what is shared with agents and contractors;
- create a retention schedule;
- delete old applicant data when no longer needed;
- keep repair and complaint records factual;
- prepare a process for subject access requests;
- review data protection practices after changing agent or software;
- check whether ICO registration is required.
The key takeaway
Landlords are not just managing bricks and mortar. They are managing personal information.
A privacy notice, sensible retention periods and secure record-keeping are now part of responsible property management. As rental regulation becomes more formal, landlords need to know what data they hold, why they hold it, where it is stored, who it is shared with and when it should be deleted.
Tenant data is a compliance issue. It should be treated with the same seriousness as deposits, safety certificates and tenancy documents.
NetRent does not provide legal advice. This article represents our understanding of rental property law and data-protection compliance.
Telephone: 01352 721300
Email: support@netrent.co.uk