If someone broke into your house and took a video of lots of personal information, like photos of family and pets, copies of bank and insurance documents, share dividend cheques, an asthma inhaler and an invoice for a stairlift, you would doubtless think that it was a shocking breach of privacy and want tough action taken against the intruder.
But what if you allowed an estate agent who you had instructed to sell your house to do this? You might have given them permission to take the video, but the assumption would probably be that they would blur or obscure all such personal data.
As the BBC has recently reported, that is the position of the sellers of a house in Devon, where a 3D video of their property left a large amount of personal data open to be viewed without any security protection.
Although the UK has left the EU, the provisions of the General Data Protection Regulation (GDPR) still apply in a version specific to the UK, as part of the Data Protection Act 2018.
These laws state that any data that can identify a living individual is personal data, and subject to the UK GDPR. This clearly includes the above data in the seller’s house.
There is an exemption for personal or household activities, so if the house owners allowed a friend to take such a video and post it on social media, then the UK GDPR does not apply. However, this exemption only applies to purely personal or household activities, with no connection to a professional or commercial activity.
Here, the estate agents were using the video in order to try to sell the client’s house so this would be a commercial activity.
Data that relates to health should be subject to particular care to prevent it from being disclosed, so images of inhalers and stairlift invoices are serious concerns.
The BBC says that it has reported this to the Information Commissioner (ICO) as a data breach and indeed the estate agents should do the same, if they have not already done so.
There is a time limit of 72 hours from discovery of the breach for a report to be made, so if the agency has delayed beyond this time period, it can expect some stronger enforcement measures to be taken by the ICO, possibly including a fine.
The fact that the house owners knew that the video had been taken and presumably knew that they had left all of this data in plain sight might be regarded as a mitigating factor and particularly if the video had been sent to the client for approval before it was uploaded to the website, it could be argued that they were at least in part to blame for the breach.
However, the estate agent will be regarded as the Data Controller, having collected this data in the video, and therefore has a primary responsibility to protect the privacy of personal data over and above instructions from their client which may not have specifically addressed the data privacy concern.
The lessons for estate agents are that they need to be aware of their obligations under UK GDPR regarding their client’s personal data, and to take active measures to obscure anything that could identify their clients.
The message for your clients is that they should ask to check any material like a video that their agent might wish to post and ensure either that all sensitive personal material is put away, or that if it appears in a video, that it is obscured.
Furthermore (from a general confidentiality perspective), it is a good idea to put away in a locked location any papers of materials before your house is viewed by a prospective purchaser.
*Patrick Wheeler is a Partner at law firm Collyer Bristow LLP.