How housing associations can prevent data incidents

Like all businesses, housing associations are relying on technology to streamline operations and drive efficiencies. This is particularly true for resident engagement; technology is making it easier for associations to speak with tenants and service users, thereby improving service delivery: reporting repairs, managing tenancies, onboarding, payments, council tax, managing instances of ASB and other community matters - the list goes on. In addition, associations regularly need to communicate with external agencies, such as the police and local councils. 

But where technology has brought huge benefits in terms of replacing print and postage, it also presents challenges around interoperability. Platforms used by one agency likely pose problems for those using others. Add to the mix the matter of digital inclusion for residents, and the very big issue of data protection, and it is easy to see how technology may be viewed as a double edged sword for housing organisations.

So how do you communicate with stakeholders easily and efficiently, without putting information at risk? 

Unveiling vulnerabilities

The media is quick to pick up on instances of data breaches. When resident data is involved, headlines can be damaging. 

In several documented cases, housing association employees have mistakenly sent confidential data to the wrong recipients via email. This simple yet costly mistake has far-reaching consequences, compromising the privacy and security of tenants and employees alike.

Human error continues to be the leading cause of data loss events. According to the latest data from the ICO, 75% of all reported incidents resulted from non-malicious activity.

As well as emails sent to the wrong recipient, misuse of Bcc and failure to revoke sensitive data are both common causes of data loss events. When misapplied, Bcc can lead to unintended disclosure of sensitive data. Housing associations have witnessed instances in which employees inadvertently exposed email addresses in this way, leading to potential phishing attacks and unauthorized access to communications.

Failure to revoke sensitive data before sending emails has also resulted in the unintended dissemination of confidential information, exposing housing associations to regulatory non-compliance and eroding the trust of tenants and stakeholders.

Housing associations and the GDPR

Speaking directly about housing associations in a recent blog, Helen Raftery, Head of Data Protection Complaints at the ICO, expressed concern around the quantity of complaints received from residents:

“We have received a number of complaints from residents who have been failed by poor data protection practices from their housing association, company or landlord (...) Our complaints data suggests that there is a lack of understanding about data protection law by some organisations in the UK housing sector.”

Housing associations are obliged, like any organisation, to meet the requirements of data protection laws including the GDPR. 

This means that staff must consider the disclosure of data, the justification and potential risks of sharing data including the means in which it will be shared. For example, data protection teams and employees should ask what is to be achieved by sharing data, is it fair to share the data in a particular way, and what safeguards are in place to minimise the risks or potential adverse effects of data sharing. If the instance is particularly high risk, a Data Protection Impact Assessment may be carried out. 

A lack of understanding around what constitutes sensitive information also sees some housing associations refusing to provide information upon request, citing data protection laws as the defense. 

In addition, failure to keep accurate records has also seen many housing organisations fall short on meeting their obligations under data protection laws. For example, managing resident repairs communications, complaints procedures, or FOI requests could result in compensation orders, fines, and reputational damage.

How to share data compliantly 

To mitigate these risks, housing associations must implement email security protocols that empower employees to work securely, compliantly, and efficiently. 

Email remains the preferred method of communication for housing associations; it is easy to use for employees and residents, and promotes reliable interoperable communication with external agencies and partners.

However, email alone does not provide the required levels of security to protect data. After all, as evidenced by the ICO, email is where the most common data breaches occur. This is because it doesn't provide the necessary levels of security to protect sensitive data in transit or at rest, or support associations in meeting their obligations under the GDPR. 

Enhancing email with advanced security features and encryption supports organizations in preventing data loss incidents, without introducing additional platforms and complicating workflows. Email is reliable, universal, and user-friendly - it just needs an additional layer of security to provide the necessary security functionality to make it fit for purpose for housing associations today.

Zivver integrates seamlessly with Outlook and M365 to empower employees to protect sensitive data in emails and files, avoid the leading causes of data incidents, and engage effortlessly with stakeholders. Here’s how:

Implementing advanced encryption tools safeguards emails during transit and at rest. Zivver applies zero access encryption, ensuring emails do not fall into the wrong hands and, unlike many email security providers, we don’t hold encryption keys. So when we say secure, we mean secure.

Applying 2FA adds an additional layer of security to emails by requiring users to verify their identity before opening an email or file. 2FA supports compliance with the GDPR, and provides a super user-friendly experience for recipients whilst assuring them that data protection is a priority for your organization.  

“We utilize Zivver’s multi-factor authentication controls, using phone numbers to ensure only the right people can access sensitive emails. In addition, users are also using the expiration controls to control access to files after sending. Employees find this functionality particularly useful.” Soha Housing

Recalling emails sent in error, or regaining control over messages once sent, is difficult with standard email. With Zivver, senders can revoke access to emails, no matter how long after sending. They can also ascertain whether emails have been opened or forwarded; if a message is yet to be opened, users can guarantee a data incident has been avoided. Phew.

By proactively assessing employee behavior and email performance, administrators can support employees with tailored training, and meet their obligations under the GDPR to report on potential incidents or near misses.

“We can access data and reporting on user activity in the back end, including some interesting statistics regarding data incidents avoided. We can even see when emails have been recalled. This data supports us in meeting compliance.” Soha Housing

Zivver Large File Transfer integrates with Outlook and M365 to make sending large files easy. Due to size limits, employees often rely on third party file transfer sites to share large data sets and files. However, these sites aren’t always compliant or user-friendly. We keep things simple!

One of the leading causes of data breaches is failure to revoke sensitive data. Often, this occurs when an employee has accidentally shared a file containing sensitive information without realizing it is there. Zivver identifies sensitive data, including financial information and National Insurance numbers, in the body and attachments of emails, and alerts the sender so they can take the necessary action to remove the data or encrypt it before sharing. 

“Zivver fits into our wider data protection strategy, it provides another layer of protection for our team. I would definitely recommend Zivver to other housing associations.” Soha Housing

Ultimately, commitment to cybersecurity not only protects sensitive data but also upholds the trust and confidence of tenants, stakeholders, and communities at large. Rather than waiting for a mistake to happen, it’s time to take the necessary precautions by giving employees the tools they need to protect data.

Security doesn’t have to be stressful or complex. Zivver balances user-experience with security to make doing the right thing easy for people.

Find out how we are supporting housing associations to email securely, or get in touch to see Zivver in action.