Managing your building data

Building managers today may collect a variety of data, including sensitive health information – how can they ensure they stay within the law and respect occupants’ privacy?


  • James Castro Edwards
  • Suzanne Gill

06 November 2020

If you remember when a 'building manager' sat in an office posting out rent demands four times a year, that will show your age! Today, building management is a highly skilled role which involves, as many roles do, more and more use of technology. How can managers use data and technology both to monitor buildings and the way in which tenants interact with their space? Just as importantly, how can managers stay on the right side of the law while they do this?

There are two main types of legislation to bear in mind: health and safety type legislation and data protection legislation. Essentially, the more personal the data is, the greater care you need to take when using it. Whenever you use personal data, you need to tell people you're doing that, and where possible, give them choice and control over how their data is used.

'The more personal the data is, the greater care you need to take when using it'

Less is more

Facilities management teams are all too familiar with a mid-week 'spike' in office occupancy. You could share data from security turnstiles with occupiers' HR teams to encourage the spread of part-time attendance more evenly. Typically, this will show you not just how many people pass through turnstiles but also who they are and when they arrive and leave. Data protection laws require you to treat that sort of location data more carefully than anonymous data. Could you use a footfall counter instead?  

COVID-19 has brought temperature checks to some buildings, including hotels, healthcare sites, and workplaces. This type of medical information is intensely personal and requires special care before it can be used legally, It is also relevant that someone with the 'wrong' temperature could be denied access to their workplace: with severe consequences like this, it is no surprise that the law mandates a higher standard of care in relation to health data. High temperature because you're running late and have actually run part of the way? You should be allowed to cool down and have your temperature taken again. It is less easy to see how someone suffering hot flushes as part of the menopause can have her data corrected, and quite possibly discriminatory to put her in a situation where she needs to go through that process.  

CCTV can also be used to monitor buildings and how space is accessed; again this must comply with data protection law as it is potentially intrusive to individuals' privacy. When implementing systems that create a 'privacy risk' the GDPR may require the landlord to carry out a data protection impact assessment (DPIA), to ensure that the principles of 'privacy by design and by default' are incorporated.

Take the example of a meeting room. You might want to know how many people are in the room so you can adjust the ventilation systems to deliver enough fresh air. However, needing to know there are four people in the room doesn't mean you need to know which four. A sensor telling you when and how often a door is opened might help, but won't necessarily tell you how many people come in each time or whether they are coming or going. Another way of looking at this issue could be to measure something else entirely: what are the CO2 levels in the room? If you can't pump more oxygen in on demand, can you arrange a pop-up on a screen reminding people to take a break instead? Measuring CO2 levels tells you nothing about individuals so you're unlikely to be troubled by the terms of the GDPR.

Putting data in context

Building managers know better than anyone how quickly and often occupiers' requirements can change. So when you install new technology, think about how to future-proof it. For example, are sensors screwed in, or clickable and easy to move?

There will be a variation in data sensitivities in different countries, as well as different laws, so managers with international roles will need to keep abreast of these. Generally, people do not want to be tracked, and even in the workplace, individuals have a reasonable expectation of privacy. As well as national views on what's appropriate, the degree of trust between an employer and their employees is also critical in whether and how new technology is introduced and changes are made.  

The GDPR allows the information commissioner to impose fines based on an organisation's turnover. There's also a risk of bad publicity. However in our experience, data use within buildings is more likely to come into the spotlight when the employment relationship goes wrong than for any other reason. If a tenant's HR team want to know if Mr X has regularly gone through the turnstiles late and left early, can you tell them? If a disgruntled employee takes a stick of data with them when they stalk out for the last time, is this a data breach that must be notified to the data protection authority, or to the individuals whose personal data was contained in the memory stick? Make sure that all the relevant people in your organisation are informed on GDPR.

Faced by a bewildering array of sometimes gimmicky high-tech solutions, our advice is to remember that technology is a means to an end.  

Related competencies include: Data management, Property management

"Generally, people do not want to be tracked, and even in the workplace, individuals have a reasonable expectation of privacy"

Related Articles


go to article Why party wall surveyors must remain impartial


go to article BRE revises guidance on access to daylight and sunlight


go to article Guidance issued on EV fire safety in car parks