Governance, Risk Management and Compliance
|
Data Protection
|
GDPR
BLOGS

STAIRs: A New Standard for Social Housing Providers

Stuart Skelly
|
Senior Consultant at URM
|
PUBLISHED on
10 Jan
2025
Table of contents
What is STAIRs?Is this just an extension to FOI – if so, why didn’t the Government just extend the FOI Act to include housing associations?High-level similarities between STAIRs requests and FOI Requests / GDPR DSARsSTAIRs Standard and Freedom of Information: a Detailed ComparisonHow URM can Help?
What is STAIRs?
Is this just an extension to FOI – if so, why didn’t the Government just extend the FOI Act to include housing associations?
High-level similarities between STAIRs requests and FOI Requests / GDPR DSARs
STAIRs Standard and Freedom of Information: a Detailed Comparison
How URM can Help?

The Social Tenant Access to Information Requirements (STAIRs) is a policy statement introduced by the UK Government, under the leadership of the Ministry of Housing, Communities and Local Government (MHCLG).  In 2024, it was put forward for public consultation as a foundation for a proposed new regulation aimed at benefiting tenants of private sector social housing providers in England and Wales.  In July 2024, the consultation period ended, and we are now awaiting the Government’s decision on when to activate the existing legislation to bring the STAIRs requirements into effect by way of a new legal access to information standard, with which private social housing landlords will have to comply.

What is STAIRs?

The intention behind the STAIRs is to plug an ‘information rights gap’ experienced by social housing tenants whose landlords are what are known as private registered providers (PRPs), being predominantly housing associations, rather than local authorities (the other main provider of social housing in this country).  Social tenants renting homes from local councils, which are classified as public authorities under the Freedom of Information Act 2000 (FOIA), currently have the right to submit freedom of information (FOI) requests to their landlords. This statutory right grants them access to a wide range of information about their homes, among other matters.  On the other hand, people who rent from housing associations are not covered by the FOIA.  As such, if they wish to make a formal request to their landlord for information, they are not entitled to submit an FOI request but instead must rely on a data subject access request (DSAR) under the Data Protection Act 2018 (DPA).  Although it is quite a strong right, a DSAR is not very broad as it only relates to the requester’s personal data – i.e., information about the person as an individual.

The aim is for the STAIRs to address this shortfall between the right to make an FOI request, which currently only council tenants enjoy, and the DSAR right, which residents of housing associations are limited to relying on at the present time.

The MHCLG will achieve this purpose through the Secretary of State instructing (under a power in the Housing and Regeneration Act 2008) the Regulator of Social Housing (RSH) to introduce a new standard for housing association landlords to be more transparent with their information that could be of use and interest to their tenants.  The STAIRs will be published under the power already contained in Section 22 (‘Standards relating to information and transparency’) of another existing law, the Social Housing (Regulation) Act 2023.

The new standard brought in by the RSH will:

  • Enable housing association residents to request data about the management of their homes
  • Set specific time periods for responses, and
  • Require housing associations to publish certain information proactively via a publication scheme.

URM expects the types of information that will be requested by social tenants to include:

  • Condition of the property
  • Repairs and improvement plans
  • Patterns of poor property conditions within a block or district
  • Repair times
  • Antisocial behaviour (ASB) cases and outcomes locally
  • Health and safety issues
  • Breaches of housing association or other policy
  • Outcomes of property inspections
  • Basic property estate management
  • Senior employees’ (decision makers’) names and job roles
  • Policies and procedures
  • Property spending
  • Housing stock management
  • Performance standards
  • Rent rates
  • Service charges for shared owners.

Is this just an extension to FOI – if so, why didn’t the Government just extend the FOI Act to include housing associations?

As mentioned above, FOI already applies to local authority housing providers – council social housing tenants have been able to make significant requests to their public authority landlords for 20 years.  STAIRs is specifically aimed at PRPs – private sector social landlords, such as housing associations - which are exempt from FOI, due to their non-public status.  Bringing in the STAIRs standard continues to respect the fact that, fundamentally, FOI is intended for use with public bodies spending taxpayers’ money, but acknowledges the additional information and transparency duties which bind PRPs, by virtue of their special ‘quasi-public’ function and role in society.

It was deemed disproportionate to extend the FOI to PRPs.  The STAIRs-based standard is intended to strike a fair balance between the information privacy and efficiency rights of PRPs as private organisations, and the ‘rights to know’ of their tenants who have more than the normal consumer/supplier relationship with the provider of the roof over their heads.  For example, unlike the FOIA, the STAIRs scheme will not be available for use by the press or by ordinary members of the public who are not tenants of PRPs.  The standard is specifically directed at tenants and their representatives.

It is proposed that the timescale for response to STAIRs information requests will be 30 days, whilst further time may be applied for in exceptional circumstances – similar to a DSAR.  Complaints of failure by PRPs to comply with requests will be heard by the Housing Ombudsman.

STAIRs will not override the statutory rights of the FOIA or the General Data Protection Regulation (GDPR)/DPA.

High-level similarities between STAIRs requests and FOI Requests / GDPR DSARs

  • The receiving organisation may refuse a request if:
    • the requester cannot be validated
    • a request is abusive or offensive, or
    • the request would take longer than 18 hours to fulfil (subject to the consultation).
  • Complaints process to the regulator
  • 30-day timeframe for response (DSAR is one month, FOI is 20 working days).

STAIRs Standard and Freedom of Information: a Detailed Comparison

Obligation

STAIRs (England & Wales)

FOI (England & Wales and Scotland)

Publication of information

Registered providers to adopt and maintain a publication scheme, where information is published proactively for the benefit of tenants. Listed below are the aspects that should be included as part of the publication scheme. Landlords must:

  • Specify the information that is held by the registered provider and falls within certain specified classifications;
  • Proactively publish, or otherwise make available as a matter of routine, information that it holds and falls within the relevant classifications;
  • Make tenants aware of the publication scheme so that information can be easily identified and accessed by tenants; and
  • Review and update on a regular basis the information the registered provider makes available under the publication scheme.

Where information is held by a landlord’s subcontractors, the standard will require the landlord to use all reasonable endeavours to obtain the information from the subcontractor and provide it to the tenant. Landlords must also respond to specific information requests from tenants. They should also consider whether the information provided to tenants in response to information requests should be published under the publication scheme (the consultation looked for views on whether this should be made a requirement in the publication scheme).

England and Wales (Freedom of Information Act 2000 – ‘FOIA’): organisations must have a publication scheme which is approved by the Information Commissioner’s Office (ICO). This is the information the organisation must proactively publish.

They must publicise the fact that the information is available, and publish a guide to available information as well as a schedule of fees. Information held by subcontractors may be covered by FOIA and subcontractors are encouraged to forward FOI requests they receive to the public body.

Scotland (Freedom of Information (Scotland) Act 2002 – ‘FOISA’): organisations must have a publication scheme which is approved by the Scottish Information Commissioner. This is the information the organisation must proactively publish. They must publicise the fact the information is available, and publish a guide to available information. Information held by subcontractors may be covered by FOISA.

Who can make a request?

Social housing tenants of a PRP, or a tenant may nominate a designated representative to communicate with their provider on their behalf.

Tenants must identify their representative to their provider.

England and Wales, Scotland:
anyone can make a request (using their real name).

Processing Requests

PRPs must fulfil all requests for relevant information, unless it is reasonable to withhold the information from disclosure (see ‘Refusing a request’ below). Where information is held by a landlord’s subcontractors, the standard will require the landlord to use all reasonable endeavours to obtain the information from the subcontractor and provide it to the tenant. Landlords are not required to share information if it may be accessed through a statutory regime (but must direct the requester to it). Landlords must not destroy, manipulate, or alter the information that is requested with intent to prevent disclosure.

Registered providers are not required to create new records to comply with the information request.

England and Wales:

Public authorities must tell an applicant whether they hold the information and must provide that information. Requests must be made in writing.

Some information held by subcontractors may be covered by FOIA. Some information may already be readily available and should be shared through normal customer service routes. There are some exemptions to the Act – for example, if it would be against the public interest to release the information.

Altering or deleting information to avoid releasing it in response to a request is a criminal offence.

Scotland:

Public authorities must supply the information or explain why not. Requests must be in a format that can be kept for future use (e.g., in writing or video/audio format). Some information held by subcontractors may be covered by FOISA. Some information may already be readily available and should be shared through normal customer service routes.

There are some exemptions to the Act – for example, information to do with a current court case. It’s a criminal offence to hide, change or destroy information to prevent disclosure.

Refusing a request

A registered provider may refuse an information request where:

  • It is reasonable* to withhold the information from disclosure
  • The identity of the applicant cannot be established
  • The meaning of the request is not clear
  • The information requested is not relevant information
  • The work involved in responding to the information request would exceed 18 hours of staff time
  • The request is repeated, including where registered providers receive repeated requests from multiple applicants acting in coordination
  • The request is offensive or communicated in an abusive manner.

*Reasonableness test: in deciding whether or not it is reasonable to withhold information, providers will have due regard to the definitions given, and protections afforded to, certain classes of information in the FOIA, DPA and any other relevant statutes. This means that, in deciding whether to withhold the information, registered providers will be expected to consider the requirements and exemptions in these pieces of legislation.

In assessing what is reasonable, registered providers should not refuse a request on the basis of:

  • The applicant’s identity or reasons for the request, beyond ensuring they are a tenant or a representative acting on their behalf; or
  • How the information is to be used following disclosure. Providers should balance factors favouring disclosure against the likelihood of any harm arising from disclosure.

Where the relevant information was provided by or relates to a third party, the registered provider must consider the views of that third party regarding the likelihood of any harm.

England and Wales:

Public authorities can refuse a request if it is not valid (in writing with a name and address) or if it would cost too much in staff time, if the request is vexatious, if the request repeats a previous request from the same person or if the information is exempt.

Scotland:

Public authorities can refuse a request if the request is not made in a recordable format, it would cost too much in staff time, if the request is vexatious, if the request repeats a previous request from the same person, or if the information is exempt.

Responding

Response must be prompt and no later than 30 calendar days from receipt. Further time is permissible in exceptional circumstances:

  • To consider whether it is reasonable to withhold the requested information; and/or
  • To arrange access to relevant information held by a contractor or by another body on the provider’s behalf. If taking further time to respond, provider must respond in a timeframe that is reasonable. Applicants must be notified if their request is refused or will be delayed ensuring the reason is provided, including details of when they can expect to receive a response. Documents may be redacted where appropriate. Reasonable effort must be made to ensure information is disclosed in a format that is accessible to applicants. Applicants should be guided to other information resources relevant to their request, where PRPs aware of them.

England and Wales, Scotland:

Public authorities have 20 working days to respond to a request.

Documents may be redacted where appropriate. Information should be provided by whatever means is most reasonable (including the preferences of the requester).

Complaints

Where the applicant is dissatisfied with the handling or outcome of their information request, they should first complain to the provider.

The provider must carry out a review, normally within 30 calendar days of receipt; however additional time may be required in certain circumstances.

If the applicant is dissatisfied with the provider’s response to their request for review, they will be able to directly escalate this to the Housing Ombudsman.

The Housing Ombudsman will not be able to consider a complaint where the tenant has an alternative source of redress in relation to data protection legislation.

England and Wales:

Public authorities are not required to have a complaints process. Where one exists, an internal review is the first step. Requesters may then appeal to the ICO.

Scotland:

Requesters should ask the authority for a review within 40 days after the date of response; requesters may then appeal to the Scottish Information Commissioner.

The regulator is expected to issue the STAIRs standard in its finalised form in 2025, and URM will confirm when this happens.  In the meantime, you can visit our website page dealing with URM’s STAIRs-related service offering.

How URM can Help?

Whilst the introduction of STAIRs is an entirely new development in the regulatory landscape for PRPs, URM’s 2 decades’ of experience supporting organisations to meet data protection compliance requirements means we are ideally positioned to help PRPs comply with the STAIRs standard once it comes into force.  As with all our data protection services, URM can provide a gap analysis service, where URM can review all your relevant processes and determine what changes need to be made in order to meet the requirements of the STAIRs standard.  As part of such a review, we will provide you with a with a prioritised list of remediations to address any shortfalls.  URM can also support you in developing new processes and policies and in providing your staff with awareness training and your data protection champions with more in-depth training on how to deal with STAIRs requests.  This training will include dealing with exemptions, timeframes for responding, when requests can be refused and how to respond.

For those organisations with limited data protection resources, URM is able to offer a virtual data protection officer (vDPO) service, providing ongoing or ad hoc support with any aspect of STAIRs and GDPR compliance that you require.  

Other Data Protection Services

URM can provide DSAR support in the form of our DSAR redaction service, whereby our large team of consultants will help to apply the necessary exemptions and redactions to ensure your response to these requests is completed in full compliance with the GDPR.  Or, to evaluate your organisation’s processing practices more broadly, we can conduct a GDPR gap analysis, where we identify the areas in which you are currently compliant with the Regulation and any areas of noncompliance for remediation.  

To strengthen your own understanding of data protection, we also regularly deliver a number of data protection training courses, each of which are led by a practising GDPR consultant.  Our half-day courses on conducting data protection impact assessments (DPIAs) and data transfer impact assessments (DTIAs), as well as our one-day ‘How to Manage DSARs’ training course, will all leave you with the necessary skills to undertake these vital compliance activities in your workplace.  Meanwhile, to gain an industry-recognised data protection qualification, URM runs the BCS Foundation Certificate in Data Protection (CDP) course, aimed at leaving you with a strong understanding of the UK data protection legislative landscape.

Stuart Skelly
Senior Consultant at URM
Stuart is a highly experienced and knowledgeable GRC consultant at URM who has specialised in data protection law for 25 years.
Read more
Read more

Recent blogs
ISO 13485: Medical Devices-Quality Management System Explained
Mitigating Cyber Risks: Why Cyber Essentials Matters More Than Ever
Are You Getting Cookies Compliance Wrong?
Updated Data Protection Laws Introduced by Chile and India
Establishing Organisational Control Over Artificial Intelligence
How URM can help?
Consultancy
Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.

Read more
Training
Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!

By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.

Read more
Consultancy
Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.

Read more
related BLog posts
Thumbnail of the Blog Illustration
Data Protection
Published on
6/4/2023
Chatbots and Personal Data: Benefits and Risks

This blog considers at high-level various possible legal ramifications of using Chatbots, especially ChatGPT, concerned with data protection risks.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
ISO 27701:2019 and the GDPR

The EU GDPR and the UK DPA both require organisations to protect and ensure the privacy of any personal data which they process.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
22/7/2022
Data Protection and Management System Standards – Which is Best for Me?

Is there a catch-all international standard that effectively proves external verification of data protection compliance?

Read more
"
Leanr more about
URM Services
Great webinar with lots of information. All easy to understand.
Ann S.
Webinar 'ISO 27001:2022 – What’s new?'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.