Delivering mail to multi-occupied addresses

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Colin Stack, Mar 8, 2018.

  1. Colin Stack

    Colin Stack UKBF Newcomer Free Member

    2 0
    Hello, I am hoping you can help me understand GDPR compliance with regard to a specific real situation.

    I am a residential Sheltered Housing Scheme Manager for a housing association.

    My site has 19 self-contained flats spread over three floors within a building for residents over the age of 60.

    On the ground floor, the building has a communal lounge, kitchen, laundry and internal communal Pidgeon holes for the post.

    These Pidgeon holes have been part of the building for over 40 years and are simply open wooden 1ft x 1ft x 1ft cubes with no door.

    The Housing association believe this system would breach GDPR rules and therefore looked at alternatives. The cheapest alternative is to direct the Royal Mail to deliver the mail direct to individual flats as opposed to upgrading the Pidgeon Holes to be secure.

    This is the point I am up to now.

    I have explained that letters are a form of data and therefore when left within the building it becomes the association’s responsibility to ensure this data is stored securely.

    One of the arguments is the building is secure as there is key code entry so what is the problem? Some residents like to help by posting mail into their door to save them coming down. I explained that this also is not acceptable but residents state this is fine by them.

    The residents find any change difficult and believe the association is just being awkward as they have not heard of GDPR and they have even checked the Royal Mail website, which states:

    Where delivery arrangements already exist where a facility is provided such as a central point for the delivery of mail or the provision of external lockable letter boxes at a building/site, these will be deemed as the delivery point for the individual addresses. In such circumstances, Royal Mail will not perform deliveries to individual residences or business premises, if requested by individual customers, even if the delivery standard criteria below are met.

    Is there any official reference I can direct residents to that could easily be interpreted in this scenario?

    Moving forward I predict some residents may even request the postal worker to continue to put mail in a central point for collection. Would I need to get such residents to sign a disclaimer in the event their mail went missing?

    Any help or advice would be very much appreciated.

    Sorry for waffling on, it feels like a simple problem made more complicated than it needs to be.

    Many Thanks

    Posted: Mar 8, 2018 By: Colin Stack Member since: Mar 8, 2018
  2. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    84 22
    Firstly it would be good to understand why the association think this is a non-compliance issue, that would help with the resolution. I don't think there is a specific reference in GDPR to answer this - that is not the aim of it. The aim is ultimately to 'do the right thing'. The key to it is to document that you have considered it. I would suggest that you include within your documentation (all policies procedures etc) a statement advising that mail is delivered to this location, should the recipient not be happy with it then adjustments may have to be made (they have the choice to exercise their rights). Make it clear to all the individuals that if they want to change the process they can. If they are all happy i don't see an issue.

    From a personal perspective, if the letters were opened and placed in the pigeon holes that would be a different matter, however i see this as a more secure location than from the time it is actually posted.
    Posted: Mar 8, 2018 By: Simon Plummer Member since: Dec 6, 2017
  3. LiveNetworks Ltd

    LiveNetworks Ltd UKBF Regular Free Member

    196 41
    I can't see GPDR having any impact on post being delivered to a central location as you describe. The 'data' isn't visible to anyone and opening post not addressed to you is a criminal offense so the law is already on your side.

    There's also the issue that you're not the data processor, so not entirely sure that the provision of a central post box would make you responsible for the data within it.

    If I park my car in the Tesco car park, they're not responsible for loss or damage, same goes for post in your pidgeon holes. Perhaps a disclaimer notice is the way to go?
    Last edited: Mar 8, 2018
    Posted: Mar 8, 2018 By: LiveNetworks Ltd Member since: Jan 31, 2018
  4. Colin Stack

    Colin Stack UKBF Newcomer Free Member

    2 0
    Thanks for your replies.

    There have been complaints from a small minority over the last few years that other residents.

    • Look through the unopened mail in Pidgeon holes that’s not their own

    • Relocate other residents mail into different Pidgeon holes.

    • Read postcards in other Pidgeon holes

    • Deliver mail as a favour to their neighbour’s letterbox and sometimes distribute the wrong mail in the wrong address

    • Discard leaflets from all Pidgeon holes that they deem as not relevant

    • Pass comment on another resident mail e.g. oh I see they didn’t get a letter from such and such that others received.

    All these actions are not malicious and done with good intentions but can upset more sensitive residents. Remember the residents are age 60 – 93 and some may have memory issues.

    The majority are happy and stubborn in their wish for no change stating the mail is secure because they trust their neighbours.

    I believe the worry is if the situation remained as it is and some mail (personal data) was interfered with, all be it with good intentions, a complaint could result in a hefty fine for not having the data secure within the building.

    I agree this needs a policy and procedure review and the idea of a disclaimer could be very useful.

    This leads onto another question.

    If I had a disclaimer notice by the Pidgeon Holes.

    Such as **** is not responsible for any items left in this central location.

    Would the Royal Mail the n have an issue with the GRPD as they should only be leaving post in a secure location and the disclaimer would question the security of the central location?

    What I hoped for was a simple way of saying to residents:

    A letter can be regarded as personal data as it contains your name and address.

    When the Royal Mail delivers the mail this is a transfer of responsibility for the safe delivery of the personal data. The central location within the building will not be deemed secure by new data protection laws from 25th May 2018.

    The cheapest alternative as ***** is a not for profit company would be to change the point of delivery for the Royal Mail to individual letterboxes which meet the new data protection laws.

    Would be good to have some form of reference to back up the above?

    Any ideas?

    Many Thanks

    Posted: Mar 9, 2018 By: Colin Stack Member since: Mar 8, 2018
  5. LiveNetworks Ltd

    LiveNetworks Ltd UKBF Regular Free Member

    196 41
    Two obvious points, 1) Ask the ICO and Post office if they believe the boxes to be considered secure for their purposes? (The post office must do if that's where they leave the mail?)
    2) Was GPDR written with the intention that the rules would apply to your situation? (I don't believe it would have been!)

    At this level of concern its likely that just walking down the street and saying 'Hi Bob' to a neighbour would fall foul.
    Posted: Mar 9, 2018 By: LiveNetworks Ltd Member since: Jan 31, 2018
  6. Gecko001

    Gecko001 UKBF Enthusiast Free Member

    2,841 445
    Do the residents have front doors with letter boxes? If not, what would be the cost of providing them compared to the cost of getting pigeon holes with lockable doors?
    Posted: Mar 9, 2018 By: Gecko001 Member since: Apr 21, 2011
  7. Keith Budden

    Keith Budden UKBF Contributor Full Member

    77 10
    I really think in this circumstance your housing association is being 'over cautious'.

    The Post Office don't need to get consent from the recipient of a letter that it is ok for the name and address of the recipient to be visible while it is in transit, that would be ridiculous. I think have a clear document that says this is the procedure we are adopting, maybe have a policy with a clause that residents accept that while their post is in their cubby hole there is a danger of it being intercepted, damaged or stolen, but that you have conducted a risk assessment and consider the risk to be sufficiently small that no further action is required. GDPR was really not designed to be applied to the circumstance you have described.
    Posted: Mar 30, 2018 By: Keith Budden Member since: Mar 30, 2018