How COVID-19 led to an estate agent listing breaching personal data rules

Viewing properties has become a rare commodity for house hunters. The pandemic has ushered in an age of virtual viewings, conducted online and in a COVID-safe manner.

But one such property, advertised since October 2020 on Rightmove, has been the subject of a data breach. The virtual viewing led to a complaint being sent to the Information Commissioner’s Office.

What happened?

On careful viewing, the online tour of the home revealed information of a sensitive nature to its occupants. When zooming in on one of the photographs taken to advertise the house, that of the study, it was possible to read details of a share dividend cheque, insurance policy documents, and an invoice.

In other rooms family photos were on display, as were those of pets with their names (which are often used as passwords.) Books and reading materials gave clues to political views, and an asthma inhaler also suggested the condition of an individual’s health.

Personal and special category data

In isolation and out of context, many of these items may not constitute personal data. Found anonymously and outside of the home they could be impersonal and unimportant, but when on display in a house, listed alongside the address, and easily connected to the names of individuals living there, they become personal data.

The key identifiers, such as name and address, render the associated data as personal, or even special category DATA under both the Data Protection Act 2018 and the UK GDPR.

For example, when you connect the inhaler with an individual then it becomes special category data because it informs you about their health. If you can then gather information about their political or religious views from the books on display, and you already have their name and address, it becomes the kind of special category data which contributed to the Facebook-Cambridge Analytica scandal.

What was the result?

In this situation, the estate agents has clearly made a mistake. They had not deliberately collected the information, nor intentionally disclosed it, so the breach will likely be seen as accidental and non-malicious. But this is a significant occurrence with potentially serious consequences for the data subjects, as it gives hackers, phishers, and identity thieves the kind of information that they use for their criminal activities. Whilst it may have been an innocent mistake, it was far from without risk, so it was reported to the ICO.

Undoubtedly virtual tours will be conducted with more care in future.

What can we learn from this?

There is no one size fits all approach to determining personal data. Context plays a role. Anonymous or innocuous data, once connected to personal identifiers like names and addresses, subsequently becomes personal, or even special category.

It is the responsibility of the data controller to manage personal data effectively, whether it appears in a printed, online, or indeed virtual viewing, format. Data protection legislation includes very significant obligations of confidentiality, security, and protection of personal data.

But just like context, intent is also critically important. If those virtual viewing stills were taken by a friend for personal or household use, then even though they were critically identifiable, it would not constitute a breach of data protection laws. It was the commercial and public availability of information which caused the issue, as explained in GDPR article 18:

“This regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.”