Data Breach - Update

Having raised the issue of the Data breach with GreenSquareAccord and having been ignored (as published here) I duly reported them to the ICO. Not only was my email ignored so too was a written letter sent to Sophie Atkinson (GreenSquareAccord’s Executive Director of Governance) proving that the trait of ignoring residents is systemic throughout the entire business even when pertaining to legal misgivings. As Ms Atkinson has only been with GreenSquareAccord since July 2021 it is a worrying to learn that this neglectful approach to the role has already set-in.

Reported to ICO

Following guidelines as published by the ICO (Information Commissioner’s Office) I afforded GreenSquareAccord a full month to ignore me before I reported them.

This wasn’t a major data breach, but it was worrying as it showed a complete lack of understanding from a company that holds a vast amount of resident data. Their failure to address the issues, offer an apology, or to outline improved and robust procedures that would ensure this wouldn’t happen again was perhaps the most contentious point.

The ICO findings

GreenSquareAccord also received and email from the ICO

And here for your reading pleasure is an extract from this email.

Why we are contacting you

Your customer has complained to the ICO about your handling of their data protection complaint. They believe that you have not complied with your obligations under data protection law.

It is our decision that there is more work for you to do. As such, we now expect you to take steps to address any outstanding issues with your customer. 

What you need to do now

One of the ICO’s strategic goals is to increase the public’s trust and confidence in how their personal data is used and made available. In order to meet this goal, data controllers must take ownership of handling personal data and responding to information rights requests.

Accountability is one of the data protection principles and it makes you responsible for complying with the UK General Data Protection Regulation (GDPR). You must be able to demonstrate your compliance to your customer and resolve their concerns without the need for the individual to come to us. The attached document provides more detail about this.  

As a regulator we look to organisations to effectively manage and resolve the data protection complaints they receive. When your customer makes a complaint to us, they are effectively informing the regulator that you are breaking the law. Reports of this kind are something that we will treat seriously and robustly. We do not expect to receive complaints when there is still further work for an organisation to do.

We therefore require you to revisit the way you have handled this matter and consider what further action you can now take to resolve this complaint. We expect organisations to deal with the data protection complaints they receive and to proactively work with their customers to provide an appropriate resolution.


If you believe that you have complied with your obligations under data protection law, you will need to explain this in detail to your customer. You also need to be confident that you have done all you can to find an appropriate resolution. 

We have attached a checklist to help you with this, you should be able to tick off all the points on this non exhaustive list. 

We expect you to contact your customer within the next 28 days with this further information. If you are unable to meet this timeframe we expect you to contact your customer to let them know and to advise them when to expect it. You do not need to provide a response to us at this stage.

However, if we receive a further complaint about this processing, we will carefully review and assess the response you have provided to your customer. If we consider that you are infringing data protection law then we will consider using our formal powers and any sanctions available.

Although individuals do have the right to raise complaints with the ICO, we should not be viewed as a routine second stage in a resolution process. As indicated above, we expect organisations to take their personal data obligations seriously and this should reduce the need for individuals to approach the regulator directly. 

 Still ignoring customers!

GreenSquareAccord who still believe ignoring customers is the best line of defence, have now been instructed by a governing body to respond to my complaint (about their inability to manage our data) within 28 days.

  • When will GreenSquareAccord and Ruth Cooke learn that ignoring customers is not a feasible pathway to becoming a ‘simply brilliant landlord’?

  • How many governing bodies do we need to involve?

  • Surely GreenSquareAccord and Ruth Cooke are tired of having their faults ‘washed in public’ - surely?

As always - updates to follow.