STEMHQ
All articles
GDPRSolicitor EscalationData ProtectionPossession

Sharing Tenant Data with Your Solicitor: A GDPR-Compliant Process for Landlords

When arrears escalate to court, you need to share tenant data with a solicitor. Here is how to do that in a way that respects UK GDPR, not just convenience.

STEMHQ3 July 20266 min read

Somewhere in most landlords' sent folders sits an email that would make a data protection officer wince: a full rent ledger, a tenant's address history, sometimes a note about a benefits claim or a health circumstance, sent to a solicitor with no agreement attached and no record kept of what went out or when. It is rarely done carelessly. It is usually just how the case has always been handed over, right up until arrears become a court case and someone asks how the data was actually shared.

The moment a tenant's rent ledger, notices, or personal details leave a landlord's hands for an external solicitor, personal data has been disclosed to a third party. Under UK GDPR, that solicitor becomes a Data Processor acting on the landlord's instructions as the Data Controller, and the Information Commissioner's Office is clear that this relationship is generally expected to be governed by a written contract, not an informal email exchange, before any data is accessed.


What Article 28 is generally understood to require

Article 28 of UK GDPR sets out what a Data Processing Agreement between a landlord and a solicitor should typically cover. Per the ICO's own guidance on contracts and liabilities between controllers and processors, that includes the subject matter, duration, and purpose of the processing, the categories of personal data involved, the processor's obligations around confidentiality and security, and what happens to the data once the engagement ends.

Where a case-sharing process has no equivalent of this in place before data changes hands, it is unlikely to meet the standard Article 28 sets out, regardless of how secure the email itself was in transit. That is a compliance gap worth closing before it becomes a live question, rather than after.


Data minimisation, in practice rather than in principle

Article 5(1)(c) of UK GDPR is generally read as requiring that personal data shared with a third party is limited to what is actually necessary for the purpose at hand. Applied to a possession case, that tends to mean sharing only the specific tenant's case pack, not the landlord's whole tenant database or wider portfolio, leaving out other tenants' details even where they live at the same property or in the same HMO, and not sharing financial data beyond what is relevant to the specific arrears or possession matter. A solicitor instructed on one possession case has no obvious need to see a landlord's other tenancies, and a data-sharing process that hands over more than that is arguably not minimising anything.


Why the accountability principle matters more than it sounds

Article 5(2) puts the burden on the landlord, as Data Controller, to be able to demonstrate compliance, not merely to achieve it in theory. If data-sharing practices are ever questioned, whether by the tenant, the ICO, or in the course of litigation, being able to show when a solicitor was given access, what specifically they could see, what they actually opened or downloaded, and when access was revoked, makes the difference between a defensible process and a difficult conversation.

An email sent from a personal inbox with an attachment provides essentially none of that. A dated folder of PDFs is a small improvement, but it still leaves no record of who actually opened what, or when.


A practical checklist before sharing a case file

  1. Confirm the solicitor is registered with the Solicitors Regulation Authority, using their SRA number
  2. Put a Data Processing Agreement in place, or use a platform that gates access behind one automatically
  3. Scope what is shared to the single case in question, not the wider portfolio
  4. Keep a record of what was shared, with whom, and when
  5. Revoke access once proceedings conclude, or if the instructed solicitor changes

Where STEMHQ fits in

STEMHQ's solicitor escalation portal requires a solicitor to accept a Data Processing Agreement before any data becomes visible, scopes access to a single tenant's case pack, and keeps an append-only log of every invite, DPA acceptance, case view, and document download. Access can be revoked with one click once proceedings conclude. None of that replaces independent legal advice on a specific case, but it gives landlords the process and the record that Articles 28 and 5 are generally understood to call for.

This article summarises publicly available ICO guidance and is not a substitute for advice from a data protection professional or solicitor on your specific circumstances.

Manage this in STEMHQ

Track compliance, serve Section 8 notices, and stay RRA 2026 compliant. Free to start - no credit card needed.

Start free

Ready to get your portfolio under control?

Start free today. No credit card. No setup. Just add your properties and tenants and you're live.