GDPR Document Redaction for Estate Agents and Lettings Agencies

This guide is educational. Consult your DPO or legal counsel for jurisdiction-specific requirements.

A new tenant has just signed. You need to forward their referencing pack to the landlord. Inside that PDF: a copy of their passport, three months of bank statements, their employer's HR contact, and a credit summary with their full date of birth. Before you hit send, how much of that needs removing - and what happens if you don't?

UK estate agents and lettings agencies handle more personal data than almost any other small business sector. Tenancy applications, Right to Rent checks, referencing documents, mortgage-related correspondence, AML identity packs - every transaction generates a file full of personal information belonging to people who had no choice but to hand it over. UK GDPR applies to all of it.

The ICO has already demonstrated it will act against agents who mishandle this data. And the volume of complaints from the property sector is rising. This guide is a practical walkthrough of which documents need redacting, when, and why - written for estate agents and lettings professionals, not data protection lawyers.

What counts as personal data in a property transaction

Under the UK GDPR, personal data means any information that can identify a living individual. In practice, property transactions generate dense personal data at every stage.

Tenancy applications typically contain: full name, date of birth, current and previous addresses, employment details, salary, National Insurance number, bank account details, and references. Every item on that list is personal data.

Right to Rent checks require identity documents - passports, biometric residence permits, driving licences. These are among the most sensitive categories of personal data your business will ever hold.

Referencing reports from tenancy referencing agencies often contain full credit histories, county court judgement records, employer payroll verification, and previous landlord assessments. The same data flows to the instructing landlord - and that transmission is a disclosure of third-party personal data.

Landlord onboarding documents are less often discussed but equally in scope. Proof of ownership, bank details for rent payments, and in some cases tax documents - all personal data, all subject to the same handling obligations.

Not sure what qualifies? Our guide to what is PII covers the full spectrum of personally identifiable information in plain terms.

The ICO has already fined estate agents. Here's what went wrong

In July 2019, the ICO fined Life at Parliament View Limited - a London estate agency - £80,000 after the personal data of 18,610 customers was left exposed online for almost two years.

The breach involved a data transfer to a partner organisation where the agency failed to disable an anonymous authentication function on the storage system. Anyone who knew where to look could access the full dataset: bank statements, salary details, passport copies, dates of birth, and addresses of both tenants and landlords. The ICO investigation found a catalogue of security errors. Notably, the agency only notified the ICO after being contacted by a hacker who had found the exposed data themselves.

That fine was issued under the pre-GDPR Data Protection Act 1998. The maximum civil monetary penalty under that regime was £500,000. Under UK GDPR, the ceiling is £17.5 million or 4% of global annual turnover - whichever is higher. The £80,000 figure would look very different calculated against that scale.

The ICO received over 100 complaints from the property sector in a single quarter of 2023/24. The sector is on the regulator's radar, and individual agents cannot assume small size equals low risk. The ICO does not only pursue large firms.

When does redaction apply - and to what

Redaction is not something that only happens when a complaint is filed or a data breach is investigated. In property transactions, three common scenarios require active redaction before documents are shared:

Forwarding referencing or application documents to a landlord. The landlord is entitled to know whether a tenant is creditworthy and references check out. They are not necessarily entitled to the tenant's full NI number, the exact bank account details, or third-party referee contact information. Before forwarding a referencing pack, strip out anything that goes beyond what the landlord genuinely needs for their letting decision.

Responding to Data Subject Access Requests (DSARs). Under Article 15 of UK GDPR, any individual whose data you hold can request a copy. If a tenant or former client files a DSAR, you must respond within one calendar month. That response will often include documents that also contain third-party personal data - previous tenants, co-applicants, referees. That third-party data typically must be redacted before disclosure.

Passing files between agents or franchises. When a managed property switches agents, a landlord changes managing agent, or a franchise office transfers a case, entire file sets move between organisations. Each transfer is a disclosure. Tenant personal data in those files should be reviewed and unnecessary identifiers removed before the handover.

For a detailed walkthrough of the DSAR response process, see our guide to redacting documents for disclosure.

AML and KYC: the identity document problem

Since June 2017, estate agents handling the purchase or sale of residential or commercial property have been regulated entities under the Money Laundering Regulations. This means mandatory Anti-Money Laundering (AML) and Know Your Customer (KYC) checks on clients - both buyers and sellers, and in some circumstances landlords.

The practical consequence: your files contain copies of passports, driving licences, utility bills, and bank statements that were collected specifically to verify identity for AML purposes. These are among the most sensitive documents your business holds.

Three things happen with this material that create redaction risk:

• Internal sharing: if an AML file is reviewed by multiple staff members, or sent to a central compliance function within a larger agency group, it moves beyond the person who collected it. Not everyone who handles a file needs access to the full passport scan. Redact document numbers and photos from internal summaries where the full original is retained separately.
• Third-party disclosure: solicitors, mortgage brokers, and lenders may request confirmation of identity verification. They need to know you've carried out the checks - they do not automatically need a copy of the passport scan itself. Understand what you're obliged to provide versus what you're being asked for.
• File disposal and handover: when a transaction completes, AML records must be retained for five years under the Money Laundering Regulations. But if any version of that file is shared, summarised, or forwarded during that retention period, the personal data in it remains subject to UK GDPR. Retention obligation and sharing obligation coexist.

HMRC supervises estate agents for AML compliance in England and Wales. Non-compliance with the Money Laundering Regulations can result in civil penalties and criminal prosecution separately from any ICO action. These are parallel regimes, and a data protection failure in how you handle AML documents can trigger scrutiny from both.

A practical redaction workflow for common property documents

The documents that most often need redaction in a lettings or sales context fall into a short list. Here's how to approach each.

Tenancy applications and referencing packs - when forwarding to landlords, redact NI numbers, bank account and sort code numbers, full passport or licence numbers, and detailed credit information beyond a pass/fail summary. The landlord's decision turns on the overall picture, not the raw data.

Right to Rent identity documents - original checks should be conducted by the agent. Copies retained in file should be secured and access-controlled. If any copy is forwarded to a third party - a co-managing agent, for example - passport and licence numbers should be redacted from any transmitted version unless there is a specific legal necessity to share the full document.

Property condition reports and inventories - less obvious, but these often contain tenant names, contact numbers, and in some cases financial references. Before sharing with contractors, surveyors, or successor agents, check whether personal identifiers are necessary for the recipient's purpose.

Emails and correspondence chains - when forwarding an email thread to a landlord or solicitor, scroll back through the whole chain. Earlier messages may contain tenant financial details, AML information, or personal communications that were not intended for the current recipient.

For a step-by-step guide to redacting a PDF document, see how to redact a PDF.

RedactProof processes documents in your browser - files are never uploaded to any server. The AI detection identifies 40+ types of personal information automatically, including passport numbers, NI numbers, bank account details, and dates of birth.

The overlay redaction trap

One of the most common mistakes we see in the property sector: using a PDF editor to draw a black box over personal data, then sending the file. This is overlay redaction - and it is not redaction at all.

Overlay redaction leaves the original text in the file. Anyone who opens the PDF in a different viewer, copies and pastes the "redacted" area, or removes the overlay layer recovers the full text immediately. There is no data protection protection from an overlay. The ICO's guidance on secure document disclosure explicitly flags this risk.

Permanent (pixel-burn) redaction destroys the underlying text. The characters are gone from the file entirely - not covered, removed. That's the only method that actually meets the standard of appropriate technical measures under UK GDPR Article 5(1)(f).

See our guide to common redaction mistakes for a full breakdown of what to avoid.

What a redaction policy looks like for an estate agency

A sole trader running a small lettings portfolio and a 50-branch franchise are both data controllers under UK GDPR. The scale differs; the obligations don't.

You don't need a 40-page document. A basic redaction policy for a property business should cover: which document types are subject to redaction before external sharing, who in the business is authorised to make those redaction decisions, the method required (permanent, not overlay), and a simple log of what was redacted from each document and why.

That log matters more than people realise. If a tenant later complains to the ICO that you sent their bank details to their landlord without justification, your ability to show a contemporaneous record of your process is the difference between a reprimand and an escalated investigation.

We've published a redaction policy template that estate agents can adapt, covering each of these elements with plain-language guidance.