8) Data Management - L1 Mandatory Flashcards
My Level 1 Answer:
What legislation covers data protection in the UK ?
Data Protection Act 2018 and UK GDPR
What does GDPR stand for ?
General Data Protection Regulation
When did GDPR come into affect ?
New rules relating to how we collect and process personal data - the EU General Data Protection Regulation (GDPR) - came into effect in the UK on 25 May 2018.
Describe the Data Protection Act 2018?
Controls how your personal information is stored and used. Uk’s implementation of the GDPR. Stronger protection race, religious beliefs & sexual orientation
What could happen if you do not meet the requirements of GDPR ?
- £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher
- £8.7 million or 2% of the total annual worldwide turnover in the preceding financial year, whichever is higher
Have you completed any training on GDPR ? what did you learn ?
Yes, please see CPD …..
What are the maximum fines (UK GDPR) , how are the fines calculated ?
- £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher
How do you manage date at RLB?
Data is managed through RLB’s teams system, provides a secure platform to which job details are stored and are made available to team specific personnel. Our data management system is compliant with ISO9001:2015
Who does Freedom of Information Act Apply to?
Public right of access to information held by public authorities.
Does GDPR apply post Brexit ?
Yes, many aspects of GDPR will be converted into UK Law on 1st Jan 2021 under the titles UK GDPR. in turn companies will still need to comply
What will the changes include (GDPR post Brexit)?
UK government will control the UK GDPR as opposed to the European union.
Who oversee information rights in the UK ?
ICO - International Commissioners Office
https://ico.org.uk/
What happens if you are sharing or processing data from the EU ?
Adhere to :
* UK GDPR
* EU GDPR
* Data Protection Act 2018
Who enforces the data protection ?
Information commissioners office - ICO
How do you ensure data you hold on clients is kept secure and confidential ?
I use secure documents that are stored on password protected machines and servers. I also only keep the information I need and use it for the purpose it has been collected without passing it on unless I have approval prior.
What are the 7 GDPR principles? - LADSPAS
- Lawfulness, fairness and transparency – leave the individual fully informed
- Accuracy – where necessary kept up to date, erase inaccurate personal data without dela
- Data minimisation – collect the minimum data you need
- Storage limitation – Retain the data for a necessary limited period and then eras
- Purpose limitation – must inform your clients about the purpose of the data collection
- Accountability – Record and prove compliance
- Security - Integrity and confidentiality – Keep it secure, locked filing cabinet or fire wall
How have you changed the way you managed data during COVID 19 and home working ?
Only allowed to use work equipment, the storage of files/documents to be locked away, regular update on password protected equipment etc.
What does the Freedom of Information Act enable?
Limit access to sensitive data use smart passwords to resident details Firewalls and antivirus protection dedicated server stay on top of security updates Limit access to sensitive data use smart passwords to resident details.
How do you ensure the data that you hold on your clients is kept secure and confidential?
Limit access to sensitive data use smart passwords to resident details Firewalls and antivirus protection dedicated server stay on top of security updates.
Why do you keep company data for 12 years?
It is a requirement of our PII insurance that all contracts under deed are kept for a minimum of 12 years and under hand for 6 years. I am aware of the limitation act to claims which can be brought about up to 15 years after the act of negligence.
What is project extranet?
A computer network that allows controlled access from the outside for specific project purposes. Essentially is a system that allows individuals outside the company to view project files on a secure platform.
What is BIM?
Building Information Modelling. Software creating 3D models that allow industry professionals to better plan, design, construct and mange buildings/infrastructure.
What are the disadvantages of BIM?
Very expensive and not all construction professionals use it and therefore less experts.
How does BIM effect your role as a CA?
I’ve not used it but I would imagine that it simplifies the process by theoretically reducing the amount of variations required.
What should you do if there is a data breach ?
Inform the Information Commissioner’s Office not later than 72 hours after becoming aware of it.
What are ISO Standards ?
International Organisation for Standardisation. An international standard setting body of representatives from varying national standards.
* ISO 9000 – Quality Management Systems
* ISO 8000 – Data Quality
* ISO 14001 – Environmental Management Systems
* ISO 45001 – Health and safety
What is the limitations act ?
The Limitation Act 1980 is an Act of the Parliament of the United Kingdom applicable only to England and Wales. It is a statute of limitations which provides timescales within which action may be taken for breaches of the law.
Can you give me some example of the data you manage ?
- Client details
- Finances
- Contact details
- Project details
- Complaints
- etc
What is personal data ?
Personal data only includes information relating to natural persons who:
* can be identified or who are identifiable, directly from the information in question; or
* who can be indirectly identified from that information in combination with other information.
* Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
What are the UK GDPR Principles ?
The UK GDPR sets out seven key principles:
* Lawfulness, fairness and transparency
* Purpose limitation
* Data minimisation
* Accuracy
* Storage limitation
* Integrity and confidentiality (security)
* Accountability
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/
What are the GDPR rights ?
The UK GDPR provides the following rights for individuals:
* The right to be informed
* The right of access
* The right to rectification
* The right to erasure
* The right to restrict processing
* The right to data portability
* The right to object
* Rights in relation to automated decision making and profiling
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
What is the process if there is a data breach ?
- The UK GDPR introduces a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority or the affected individuals, or both.
- You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
What are the penalties for breaches of data protection?
The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements.
Can you expand on what BCIS is ?
The Building Cost Information Service, provides cost and price data for the UK construction industry. It is a part of the Royal Institution of Chartered Surveyors.
What are the principles of the Data Protection Act 2016 ?
LADSPAL
- Lawfulness, fairness, and transparency. Whenever you’re processing personal data, you should have a good reason for doing so.
- Purpose limitation.
- Data minimization.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality.
- Accountability.
Who enforces the data protection act ?
The Information Commissioner’s Office (ICO)
What are the penalties available ?
The UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover
What is the Data Protection Act 2018 ?
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government
What are the principles of the Bribery Act ?
PCRCDM
* Proportionality
* Commitment (Top Level)
* Risk assessment
* Communication
* Due Diligence
* Monitor and Review
Why is it important that we safeguard information?
As personal data can be used in various ways
What kind of information is ‘sensitive’ information?
Health records, financial information, address, educational records etc
Why do the General Data Protection Regulations 2018 exist?
To control how your personal information is used by organisations, businesses or the government
Which body is responsible for enforcing the GDPR?
The Information Commissioner’s Office (ICO)
What does the Freedom of Information Act enable?
The Freedom of Information Act 2000 is an Act of the Parliament of the United Kingdom that creates a public “right of access” to information held by public authorities.
What are the benefits of using external data sources such as BCIS etc?
- Industry wide data
- Standardisation
- Data management
How do you ensure the data that you hold on your clients is kept secure and confidential ?
- We use an only system to carry out checks
- Operate a clear desk policy
- Shredding of details etc
- Two factor authentication of IT systems
How do you ensure the data that you hold on your clients is kept secure and confidential ?
- We use an only system to carry out checks
- Operate a clear desk policy
- shredding of details etc
- Two factor authentication of IT system
How long do you keep client’s data and how do you ensure it is deleted when necessary?
Dependent on the type of data and the contract
* Under hand - 6 years
* Under deed - 12 years
* Limitations act – 15 years
What are the 8 rights under GDPR ?
The Right to Information
The Right of Access
The Right to Rectification
The Right to Erasure
The Right to Restriction of Processing
The Right to Data Portability
The Right to Object
The Right to Avoid Automated Decision-Making
What is the new data protection legislation in the UK ?
UK GDPR
What types of breaches are there under GDPR ? DDA
- Disclosure
- Destruction
- Alteration
What is personal information ?
- Address
- DOB
- Bank details
What is sensitive information/data ?
- Medical records
- Sexual orientation
What is copyright ?
Copyright is an intellectual property right assigned automatically to the creator. It prevents unauthorised copying and publishing of an original work. Copyright applies to research data and plays a role when creating, sharing and reusing data.
What data do you typically store of clients?
Typically personal information such as name, address, email, phone number and commercially sensitive data such as information relating to security, transactions etc.
How long should you store the data for?
The shortest time you should keep files is six years (breach of contract claims) but the Limitation Act 1980 provides for a period of up to 15 years for a professional negligence claim (injury/loss etc). GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed
What does the Limitation Act 1980 entail?
Limitation laws prevent certain legal claims being brought against a person or company after a defined period of time.
What are the penalties for not complying with GDPR?
Tier 1 - 2% turnover / 10million Euros - the greater
Tier 2 - 4% turnover / 20 million euros - the greater.
What is the Freedom of Information Act 2000?
Gives individuals rights to access information held by public bodies.
How do you delete data?
Right to erase - verbal or written request. Company 1month to reply. Not automatic response to delete.
What are the timescales for reporting a data breach?
72hrs.
What are the 4 levels of BIM?
Level 0 - Unmanaged CAD,
Level 1 - Managed CAD 2D / 3D,
Level 2 - Managed 3D with data but created in separate discipline models,
Level 3 - Single online model with construction sequencing, costs and life cycle info
What are the roles under GDPR?
Data Subject - person who is the subject of the data.
Data Controller - collects data and determines use of data.
Data Processor - processes data.
Data Protection Officer - monitor internal compliance
Supervisory authority - independant authority responsible for enforcing GDPR.
