Earlier this year, the Information Commissioner issued a reprimand to Clyde Valley housing association for infringing UK General Data Protection Regulation (UK GDPR) during the launch of their new customer portal. We look at how Housing Online takes steps to secure customer data in My Home.
In April this year, The Information Commissioner issued a formal reprimand to Clyde Valley Housing Association for alleged infringements of Article 58(2)(b) of the UK General Data Protection Regulation (UK GDPR).
The infringements occurred when Clyde Valley Housing Association launched a new customer portal in July 2022. On the first day the portal launched, a resident discovered they could access documents related to anti-social behaviour cases and were also able to view personal information about other residents, including names, addresses and dates of birth. The resident called Customer Services at Clyde Valley Housing Association to flag the breach, but their concerns were not escalated, and the personal information remained accessible for five days. Following an email to other residents promoting the new portal, four more residents reported the same breach and access to the new system was suspended.
"Housing Online has a robust track record in delivering secure, well-tested systems that are in use in more than 30 organisations"
As Jenny Brotchie, regional manager for Scotland at the ICO, said: “While new digital products and services can improve the experience for customers, these must not come at the cost of the security of personal information. This breach was the result of a clear oversight by Clyde Valley Housing Association when preparing to launch its new customer portal.
“We expect all organisations to ensure they have appropriate security measures in place when launching new products and have tested them thoroughly with data protection in mind, as well as ensuring staff are appropriately trained. We will take action when people’s personal information is not protected.”
You can read the full details of the reprimand on the ICO’s website.
In these cases, it is not usually reported which software provider supplied the customer portal to Clyde Valley Housing Association. We received a number of queries after this news was released, so we want to stress that Clyde Valley is not one of the organisations using My Home, our digital self-service solution. However, it is still useful to look at the ICO’s key findings in this case and to reflect on the steps we take at Housing Online to secure customer data.
Software development is complex, but data security and privacy should be factored in by design at every stage and not just considered in testing. Housing Online is committed to maintaining the highest operational level in systems and processes to protect personal data in accordance with good industry practice and My Home has been built with these requirements foremost in mind.
We follow industry standard secure development practices, in line with the Open Web Application Security Project (OWASP). Security and security testing are implemented throughout the entire software development lifecycle, and we also host regular penetration tests and simulated attacks against our services and systems, conducted by trusted 3rd parties qualified to industry-recognised standards.
We use a change management process designed to ensure that all changes made to the production environment are applied in a deliberate manner. Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the intended changes are operating as expected.
One of the ICO recommendations in this case was to ensure that rigorous testing is undertaken that focuses on data protection prior to the rollout of a portal in the future. Any product launch should involve detailed and documented testing, so we provide a test system that enables staff to create accounts as if they are tenants and to experience My Home as their tenants will experience the system.
Before launch, we also recommend that our customers conduct a pilot release of the portal to a smaller number of tenants. Not only does this help to iron out any issues before a wider release, it can also help to identify any lingering issues and risks.
In addition to all this, My Home has a feature that allows authorised staff to log in to the live system on behalf of any tenant and to see what that tenant sees. This is another feature that provides additional reassurance that the system is working properly.
Of course, setups and configurations vary from My Home to My Home and there is no short-cut around a full programme of carefully tailored testing before each individual go-live. Perhaps this diligence helps to explain why Housing Online has a robust track record in delivering secure, well-tested systems that are in use in more than 30 organisations.
The other key finding by the ICO in this case was that housing association staff were not clear on the procedure for escalating a data breach, leading to a five day delay before the data breach was closed. As software providers we can only act when we are notified of issues, so it is important to make sure there is a widely understood process for staff to follow that minimises any possible delay in the information getting to your software provider for action. At Housing Online, we escalate any notification of a potential data breach to a senior developer within moments for an immediate response.
As a final thought, we also recommend that if you are embarking on a new portal project, then you should make sure your Data Protection Officer (DPO) is involved and that a full data protection impact assessment is carried out.
If you are an existing user of My Home or a customer of our partner HomeMasters and would like to learn more about data protection in My Home, please contact us at info@housing-online.com
Further Reading
- Scottish Housing News: Clyde Valley Housing Association reprimanded for customer portal data breach
- How Data Protection Law can prevent harm in the housing sector. A blog by the ICO.
More About My Home
My Home is Housing Online’s feature-rich, affordable portal that enables landlords to provide their tenants, staff and contractors with easy access to the information and services that they need. With multiple options for customisation and personalisation, My Home is well equipped to grow as you grow. Learn more about My Home with our feature shpeets:
- Read about the Key Features of our My Home Portal.
- Learn about what My Home offers for your tenants.
- Empower contractors to manage work orders with My Home for contractors .
About Housing Online
Housing Online design and build digital solutions for Housing Associations across the UK and beyond. Our My Home Tenant Portal is live in 30 organisations across Scotland, Northern Ireland and England, many with fully integrated websites designed and developed by our team. In April 2021, in collaboration with seven Scottish Housing Associations, we successfully launched These Homes, a Choice Based Lettings web solution.