The Sector Risk Profile sets out the RSH view of the most significant sources of risk to providers’ ongoing compliance with our regulatory standards. This publication is aimed primarily at Boards of private registered providers and focuses in particular on risks to compliance with our economic standards, though some issues will also be relevant to local authority registered providers. It remains the responsibility of Board members and councillors to meet regulatory standards and to determine how this is done.
Within this document a section has been written specifically for data integrity and security, see below.
Data integrity
3.27 Accurate, up-to-date, complete, and consistent data are fundamental for Boards to monitor areas such as rent setting, financial management, stock condition, health and safety, and meeting consumer standards. Board oversight, control, and decision making is undermined by failure to maintain data integrity or by data isolated in siloed systems.
3.28 Boards must have assurance that data integrity is appropriately managed, including ensuring adequate quality controls and robust audit trails are in place, identifying critical data and Information Asset Owners, establishing process maps, and implementing appropriate software solutions such as error detection.
3.29 Accurate and timely data underpins our engagement with providers. We consider failure to manage data integrity to be indicative of a poor internal controls assurance framework. Failure to provide accurate and timely data that meet regulatory requirements will be reflected in the judgement of a provider’s compliance with regulatory standards.
Data security
3.30 Providers gather many types of data in the course of their activities and have a duty of care to tenants and staff to protect this data against a backdrop of increasing data security risks. Failure to adequately ensure the security of data risks a breach of trust between the provider and its stakeholders, damage to services, potential penalties, and harm to tenants.
3.31 The widespread adoption of remote working and increased online service delivery during the pandemic has allowed more opportunities for phishing, malware, and ransomware attacks. These have included high-profile instances of public sector and not-for-profit organisations falling victim to such attacks in the last year. Remote working has also increased the likelihood of staff having devices lost or stolen when away from the office environment. Many providers have also collected more data on tenants and staff during the pandemic, increasing exposure to data protection risks.
3.32 All providers must comply with the Data Protection Act 2018, and Boards must seek assurance that their IT security function is safe and secure and that security vulnerabilities are appropriately mitigated. Boards must also understand the risks of processing personal data with third parties, including the need to undertake due diligence on third parties’ security measures, using standardised contractual clauses where necessary, and documenting where data is located.