STAIRs & Housing Ombudsman changes — what housing associations must do to prepare

We explore how the Housing Ombudsman’s role is changing and outline the practical steps to remain compliant.
Talk to us: 0333 004 4488 | hello@brabners.com | Message our team
AuthorsPaddy FearnonEleanore Beard
6 min read

Transparency and tenant empowerment remain central to ongoing reform in the social housing sector. The introduction of the Social Tenant Access to Information Requirements (STAIRs) — alongside proposed changes to the Housing Ombudsman Scheme — marks a significant step towards greater accountability for private sector housing associations and/or providers.
With implementation beginning in October 2026, providers should now be actively preparing for the shift in tenant information access obligations and complaints handling.
Here, Paddy Fearnon and Eleanore Beard from our data protection team explain the key STAIRs compliance requirements for housing associations, explore how the Housing Ombudsman’s role is changing and outline the practical steps that providers must take to remain compliant and avoid scrutiny.
The STAIRs framework gives tenants of housing associations clearer rights to access information about how their homes and services are managed.
In practice, housing associations must:
Unlike local authorities, housing associations aren’t subject to the Freedom of Information Act 2000 (FOIA), meaning that STAIRs introduces a new, tailored transparency regime for the sector.
One of the most significant changes made within the Housing Ombudsman as a result of the STAIRs consultation is the expansion of its jurisdiction to cover information access complaints.
The Ombudsman will now:
Importantly, STAIRs complaints will sit outside the existing Complaint Handling Code, creating a separate process that providers must manage in parallel.
The emphasis will be on whether decision-making is reasonable, consistent and well evidenced — not simply whether information was provided.
STAIRs introduces a clear and structured process for private housing associations, ensuring standards of transparency that will include:
Information requests can be made by a social housing tenant of the registered provider or a representative nominated by the tenant to communicate with the provider on their behalf. Similar to FOIA, for a request to be valid, the applicant must be identifiable and the request itself must be made in writing.
It’s therefore important that as a provider of social housing you’re able to identify these requests, as tenants don’t need to expressly mention STAIRs for the request to fall within the regime.
As a provider of social housing, you’ll also need to fulfil a request for information as quickly as you can within 30 calendar days. A provider of social housing can take longer but only in exceptional cases, such as where they need more time to decide if some information should be withheld or get information from a contractor or another organisation.
If the response will be late, you must tell the requester why and when they should expect a reply. If you refuse the request, you must explain why.
There will be instances where you can remove or hide information where needed. Where you do provide information, you should also try to provide it in a format that the requester can use.
If the request is unclear, you should help them to explain what information they want.
If a requester is dissatisfied:
You should consider whether you’re ready to respond to an initial information request and deal with any complaint about how you’ve complied with STAIRs.
Unlike traditional complaints, STAIRs is expected to focus less on compensation and more on improving transparency and decision-making.
The Ombudsman is more likely to:
This signals a shift towards systemic accountability rather than one-off financial remedies.
The STAIRs framework will be introduced in phases:
Alongside this, the Regulator of Social Housing is introducing a separate standard, creating a dual framework of regulatory oversight and complaints enforcement.
Could your current record-keeping withstand Ombudsman scrutiny?
Providers will need:
Historic data gaps may present challenges, particularly where information hasn’t been centrally stored.
STAIRs will sit alongside existing legal regimes, including:
Housing associations must ensure that responses to information requests are consistent across these frameworks, particularly where disclosure may engage confidentiality or data protection considerations.
STAIRs is designed to empower tenants to challenge their landlord.
Non-compliance could lead to:
The introduction of STAIRs represents a fundamental shift towards greater transparency and tenant accountability in the social housing sector.
The direction of travel is clear: housing associations will be expected to disclose more, respond faster and justify decisions more robustly.
Providers that begin preparing now by strengthening information governance, reviewing processes and training staff will be best placed to meet these expectations. Those that delay risk falling behind and facing increased scrutiny once the framework takes effect.
As the regime beds in, early Ombudsman decisions are likely to shape best practice. Staying ahead of these developments will be key to managing risk effectively.
Don’t leave STAIRs compliance to the last minute.
If you’d like support with your STAIRs readiness — including reviewing your publication scheme, stress-testing your processes or aligning your approach with wider regulatory obligations — our housing and data protection teams can help.
To discuss how this applies to your organisation, talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form.
Paddy Fearnon
Paddy is a Trainee Solicitor in our commercial and intellectual property team.
Read more
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Loading form...

We explore how the Housing Ombudsman’s role is changing and outline the practical steps to remain compliant.

We explain why uncontrolled use of public AI tools creates real confidentiality and data protection risks and outline how you can manage them safely.

We delve into the key changes coming into force on 19 June 2026 and explain how businesses should prepare.

We explore the implications of the attacks for UK businesses and outline the practical measures that can help to mitigate similar disruption.

We explore why retailers are particularly affected by deepfakes and the implications around data protection, IP, advertising compliance and more.

We explore how AI is transforming data protection, the risks that organisations now face and what effective compliance looks like today.

We break down what the ICO found and outline three key steps that UK businesses should take now.

We look at the UK GDPR and the Data Protection Act 2018 and outline how the GDPR can apply to both organisations and individuals as data controllers.

We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.

Find answers to our most frequently asked questions about data protection and privacy from our lawyers.

We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.

We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.

We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.

We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.

We explore how weak cybersecurity and slow responses can trigger major data breaches and resulting ICO fines.

The EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability.

Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.

We delve further into cyber attacks on three major retailers and outline five key steps to take in any cyber-attack preparedness and response plan.

The EU Commission handed out fines of €500m and €200m to Apple and Meta respectively. We outline each fine and the legality of 'consent or pay' models.

Prevention is always better than cure. Assess your compliance with data protection law and the changes that could lie ahead in the year to come.

Athletes might be asked to provide highly sensitive forms of personal data when competing. Here's eight steps to comply with data protection legislation.

We explore the evolution of Spotify Wrapped and present five top tips for companies looking to use personal data for viral marketing campaigns.

The EU Artificial Intelligence Act is here and brings a number of considerations as to how businesses manage personal data, GDPR compliance and privacy policies.

The use of AI and technology in sporting events is ever-growing — and the Paris 2024 Olympic Games were no exception.

Data protection specialist outlines the ten key steps that any organisation should follow when using biometrics.