Loading Guild Resources
Loading Guild Resources
Loading Guild Resources
The ICO guide to lawful basis covers the possible bases. The right one depends on what you are doing, not which basis is easiest to name.
A landlord will control applicant and tenant information. An agent may control some uses and follow the landlord's instructions for others. Check each use separately. Contract labels do not decide the legal role.
Use contract where the data is necessary to perform a contract with that person, or take steps they have asked for before entering into one.
For example, a landlord may use a tenant's telephone number to arrange a repair required by the tenancy. Give the contractor the details needed for the visit, not the whole tenancy file.
This basis does not cover everything that is helpful during an application. An agent cannot use its management contract with the landlord to justify every use of an applicant's data.
Use legal obligation where processing is necessary to comply with a duty imposed on you by law. Record the law or court order concerned. A tenancy clause, office policy, or desire to keep evidence is not enough.
Examples may include information needed for deposit requirements, tax records, or a binding court order, depending on the exact duty.
Right to Rent checks are an England-only example. Where the statutory scheme applies, a landlord letting premises in England can generally rely on legal obligation for the information needed. An agent may be responsible where the law and its written agreement place that responsibility on it. The landlord scheme does not apply to premises in Wales. A Welsh landlord may still need to verify identity or prevent fraud, but should not describe the English scheme as a Welsh legal duty.
This is often useful for proportionate referencing, preventing fraud, tracing a former tenant who owes money, protecting computer systems, and some marketing. It is not a default answer.
Record three points:
A limited credit check may pass these tests on one application but not another. Common practice does not make an extensive check lawful. Tell people which interests you rely on and provide a way to object. Marketing must stop if the person objects.
Use consent only where the person has a genuine choice. It must be specific, informed, given by clear positive action, and easy to withdraw.
Consent is usually a poor basis for a mandatory application check. Calling a compulsory credit check “consent” does not make it optional. Consent may work for a genuinely optional message or service that a person can refuse without losing the tenancy opportunity. A broad consent clause is not enough.
This narrow basis covers processing needed to protect someone's life. It may apply if a tenant is found unconscious and information must be given to emergency services. It is not the usual basis for welfare concerns, repairs or tenancy management.
This applies where a controller carries out its own legally based public-interest task or official authority. A private landlord cannot borrow a council's public task. Nor can an agent rely on the police's role merely because an officer asks for information.
The landlord or agent needs their own basis for disclosure. This might be a legal obligation, ordinary legitimate interests, or, in a qualifying case, recognised legitimate interests.
Since 5 February 2026, this separate basis has covered a limited list of public-interest situations in Schedule 4 to the Data (Use and Access) Act 2025. Landlord-relevant examples include:
For a public-task request, verify the requester. The request should say the information is needed for its public task and identify the legal basis for that task. Give only what is necessary and record why. Official letterhead alone is not enough.
The list also covers national security, public security, and defence, although these will rarely arise in lettings.
Unlike ordinary legitimate interests, there is no usual balancing test. You must still show necessity and comply with fairness, transparency, security, data minimisation, retention, and people's rights, including the right to object.
Routine referencing, rent collection, arrears management, property management, and commercial marketing do not become recognised legitimate interests because they help the business. Use another basis, often contract, legal obligation, or ordinary legitimate interests.
Choosing a lawful basis may be only the first step.
Sensitive information includes health, ethnicity, religion, political opinions, trade union membership, genetics, sex life or sexual orientation, and biometric information used for identification. You need a lawful basis and a separate condition permitting this data. Collect the relevant facts where possible, rather than keeping a whole document containing unrelated details.
Information about criminal convictions, offences, or a sufficiently specific allegation against a named person also needs a separate legal condition. A crime-related recognised legitimate interest does not remove that requirement. Recording that an applicant is suspected of forgery may be covered even without a conviction.
Marketing emails and text messages have separate rules. Ordinary legitimate interests may cover the use of personal data, but do not automatically permit the message. Marketing emails or texts to individuals usually need consent unless the precise existing-customer exception applies. See the ICO guidance on electronic-mail marketing. A repair appointment or rent statement is a service message, but adding a promotion may change that.
Do not let software make a significant decision, such as automatically rejecting or blocking an applicant, without checking the special rules. A staff member merely clicking “approve” is not a genuine human review. If there is no meaningful human involvement, explain the result and let the person give their side, request a real human review and challenge the decision. Do not use recognised legitimate interests for such a decision. If sensitive information contributes to it, obtain specialist advice before proceeding. See the ICO material on automated decision-making before using automated screening.
Ask suppliers which separate organisations, staff, and subcontractors can access personal data and from which countries. Overseas access by a separate organisation can count as an international transfer even where the server is in the UK. Before using the service, ask the supplier to identify the legal protection and provide evidence. If you choose an overseas supplier directly, obtain specialist advice. “UK hosted” is not enough if overseas staff can log in. See the ICO guide to international transfers.
If you want to use existing information for a materially different reason, first assess whether the new purpose is compatible with the original reason for collection and identify a lawful basis for it. Then update your privacy information where required.
A small landlord may only need a table listing the purpose, data, controller, basis, reason, recipients and review date. Agents and larger portfolio landlords will usually need fuller records because they have more staff, suppliers and processing activities.
For ordinary legitimate interests, keep the purpose, necessity and balancing assessment. For recognised legitimate interests, record the listed condition and why the use was necessary. Privacy information should match what actually happens, including sharing, marketing, automated decisions and overseas access.
Most everyday letting work will rely on contract, legal obligation or ordinary legitimate interests. Consent has a smaller role because applicants and tenants often lack a real choice. Vital interests and public task are narrow.
Recognised legitimate interests is useful for specified public-interest situations, not as a shortcut for normal business. Start with the purpose, identify who controls the use, choose and record the basis before acting, collect only what is needed and review the decision when anything changes.