Skip to main content
Book a call — £89
Menu

Tenant Data Protection in the UK: A Guide for Landlords | LegalDocuments.co.uk

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofLandlord & Tenant

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Renting out a property involves handling a surprising amount of personal information. From identity checks and right-to-rent documents through to bank details, references and deposit scheme registrations, landlords routinely collect data that falls squarely within UK data protection law. Tenants, on the other side of the arrangement, have meaningful rights over how that information is used and stored. Getting this wrong is not a minor administrative issue, mishandled tenant data can lead to complaints, enforcement action by the Information Commissioner's Office, and reputational damage that spreads quickly through tenant communities. This guide sets out how UK GDPR and the Data Protection Act 2018 apply in a residential letting context, what landlords should be doing in practice, and what tenants can reasonably expect. It is written for private landlords, accidental landlords, and tenants who want to understand their position.

Overview

Tenant data protection refers to the legal rules that govern how personal information belonging to tenants and prospective tenants is collected, used, shared and stored. In the UK, the main framework is the UK GDPR, read alongside the Data Protection Act 2018, and regulated by the Information Commissioner's Office (ICO).

A landlord who decides why and how tenant data is processed will typically be acting as a data controller. That status carries real obligations: there must be a lawful basis for every use of personal data, tenants must be told clearly what is happening with their information, and the data must be kept secure and accurate.

Letting agents, referencing companies and deposit schemes usually sit somewhere in the chain too, sometimes as separate controllers and sometimes as processors acting on the landlord's instructions. The practical reality for most landlords is that a tenancy generates a surprising amount of personal data, passport scans, payslips, bank statements, guarantor details, maintenance records, CCTV footage at communal entrances, and sometimes sensitive information about household members. All of it needs to be handled with the same care a business would apply to customer records.

Key steps

  1. Map the personal data you actually hold. Before you can comply with anything, you need an honest picture of what tenant information you collect, where it lives, who has access, and how long it stays there. Walk through a typical tenancy from enquiry to move-out and list every document, spreadsheet, email thread and cloud folder involved. Most landlords are surprised by how much has accumulated.
  2. Identify a lawful basis for each use of data. Under UK GDPR you cannot process personal data without a lawful basis. For tenancy administration, performance of the contract and legitimate interests are often the right fit; consent is usually the wrong choice because it can be withdrawn. Right-to-rent checks rely on legal obligation. Document your reasoning so you can justify it if challenged.
  3. Give tenants a clear privacy notice. Tenants and applicants should receive a written privacy notice explaining what data you collect, why, who you share it with (referencing agencies, deposit schemes, contractors, HMRC where relevant), how long you keep it and how they can exercise their rights. This should be provided at the point of collection, not buried in the tenancy agreement.
  4. Secure the data you hold. Practical security matters more than fancy policies. Use strong, unique passwords and two-factor authentication on email and cloud storage, avoid sending copies of ID documents over unencrypted channels where possible, lock paper files away, and limit who in your business or family has access. If you use a letting agent, check what their security arrangements look like in writing.
  5. Handle requests and incidents properly. Tenants can ask to see their data (a subject access request), ask for corrections, or object to certain uses. You generally have one month to respond. If personal data is lost or exposed, a stolen laptop, a misdirected email, a break-in at the office, assess whether it needs to be reported to the ICO within 72 hours and, in serious cases, to the tenants themselves.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Do I need to register with the ICO as a private landlord?
Most landlords who process tenant data electronically are required to pay a data protection fee to the Information Commissioner's Office, unless a specific exemption applies. The fee depends on the size of the operation. You can check whether you need to register and what the current fee is by using the self-assessment tool on the ICO website. Failing to pay when required can itself lead to enforcement action.
Q Can I share tenant information with a referencing agency or guarantor?
Yes, where it is necessary for the tenancy and the tenant has been told this will happen. Sharing with a referencing agency is usually covered by performance of the contract or legitimate interests. Sharing with a guarantor should be limited to what the guarantor genuinely needs. In every case, the tenant should know who their information is going to before it is sent, ideally through your privacy notice.
Q How long can I keep a former tenant's data?
Only as long as there is a genuine reason to keep it. Some records, such as those linked to tax or deposit protection, may need to be retained for several years. Others, such as unsuccessful applicants' identity documents, should usually be deleted much sooner. A sensible approach is to set clear retention periods, write them down, and actually delete material when the clock runs out.
Q What rights do tenants have over their personal data?
Tenants have the right to be informed about how their data is used, to access a copy of it, to have inaccurate data corrected, and in some circumstances to request erasure or restrict processing. They can also object to certain uses and complain to the ICO if they are unhappy with how a landlord has handled things. These rights apply to current tenants, former tenants and applicants who never moved in.
Q Is CCTV at a rental property covered by data protection law?
If CCTV captures identifiable people beyond a purely domestic setting, for example, shared hallways in an HMO or a block of flats, it generally falls within data protection law. Landlords using CCTV should have a clear purpose, signage telling people they are being recorded, limited retention of footage, and proper security around access. The ICO publishes practical guidance on video surveillance worth reading before installing cameras.
Q What happens if I get data protection wrong?
Consequences range from tenant complaints and reputational damage through to formal investigation and fines from the ICO. Civil claims from individuals are also possible where someone has suffered distress or loss. In most cases, the ICO prefers to see landlords taking compliance seriously and fixing problems, rather than issuing penalties for minor errors, but persistent or serious breaches are treated far more firmly.
Q Do letting agents take on the data protection responsibility instead of me?
Not entirely. Where you instruct an agent, you usually remain a data controller for your own purposes, and the agent is either a separate controller or a processor depending on the arrangement. The right approach is a written agreement that sets out who does what, what security the agent maintains, how incidents are handled, and what happens to tenant data when the relationship ends.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.