APC Mandatory - Data Management

Question 1

What is data

Answer 1

Information collected to be examined or concidered for use to help decision making in varying forms. Raw form of knowladge

Question 2

What is personal data

Answer 2

Uk GDPR Article 4
Personal data is any information relating to an identified or identifiable natural person (data subject), and an identifiable natural person is one who can be identified directly or indirectly

Question 3

What is the freedom of information act

Answer 3

Gives individuals the right to access information held by public bodies

Question 4

What are the exceptions to a FOI request

Answer 4

1. Contrary to GDPR requirements
2. It would prejudice a criminal matter
3. CRCA overrides FOI request

Question 5

What are the benefits to cloud based storage systems?

Answer 5

1. Info backed up securely on encrypted servers
2. Environmental friendly
3. Could be cheaper than managing hard copy files

Question 6

What is a non disclosure agreement?

Answer 6

Used to protect against disclosure or sharing of confidential data

Prior to sharing confidential info, the recipient will be requested to sign an NDA to ensure confidentiality

Question 7

If 2 departments within ure firm were working for 2 rival companies how would u ensure data confidentiality

Answer 7

Per RICS Global COI 2018

1) Make client aware of risks involved with COI
2)Request written confirmation from both parties
3) Conflict management;
Ensure single communication lines to client, separate working locations for staff and NDA’s, also make sure data is secure

Question 8

Key persons outlined in GDPR?

Answer 8

CONTROLLER
Determines process and means of processing of personal data (I.e employer processing employees data, employer considered controller)

PROCESSOR
Process data on behalf of controller (ie call centre on behalf of client).

DATA PROTECTION OFFICER
Under GDPR dpo is a required leadership role overseeing data protection

Question 9

What are the 8 individual rights under GDPR

Answer 9

Article 5 Part II
Rights to
1) be informed
2) access information
3) rectify information
4) erasure
5) Restrict data processing
6) data portability
7) object
8) automated decision making and profiling

Question 10

What things must companies put in place to ensure GDPR

Answer 10

Raise awareness
Review proceadures
Audits

Question 11

CEW FS

How is data managed and protected within ure firm?

Answer 11

VOA policy CEW-FS
Clear desk policy
Encryption technology
Waste disposal for restrictive info/data
Fire wall protection
Security markings

Question 12

What is GDPR?

Answer 12

Gives rights and protection to living data subjects over who holds their personal data and how that data is used

Question 13

Name some exemptions to GDPR

Answer 13

Law enforcement
National Security
Domestic Purposes

Question 14

What are the key principles of GDPR?

Answer 14

LDP ASIA
Lawful fair and transaction
Data minimisation
Purpose limitation
Accuracy
Storage limitations
Integrity and confidentiality
Accountability

Question 15

Who is the responsible body for overseeing GDPR in the UK?

Answer 15

Information commissioner office

Question 16

GDPR breach what happens?

Answer 16

Inform ICO within 72 hrs
Can be fined up to 20m euros or 4% of turnover whichever is greater

Question 17

What is the purpose of CRCA 2005

Answer 17

Protect taxpayer confidentiality

Question 18

What is Section 10 of the CRCA 2005

Answer 18

Allows the VOA to provide a valuation of property:
- For any purpose relating to its function
- At the request of a public authority

Question 19

RNP

How long can you store data for under the CRCA

Answer 19

No time limit but needs to be reasonable, necessary and propotinate

Question 20

What act covers data in the UK

Answer 20

Data protection act 2018 and its amended version 2021 post brexit

Question 21

What happens if you breach CRCA?

Answer 21

Sec 19
Maximum 2 Yr imprisonment or unlimited fine

Question 22

Can you use someone else’s work

Answer 22

Under copyright designs and patents act 1988
Sec 50 allows for stat function
Sec 45 allows for judicial proceeding
If recive permission from copyright owner
In accordance with terms of publisher
Acknowledge source

Question 23

What is the deadline once a FOI or SARS is requested?

Answer 23

Depends
GDPR - Should respond within 1 month (Article 12). This can be extended to 2 months where complex.
FOI - 20 working days

Question 24

Which acts are relevant to data management

Answer 24

GDPR 2018
DPA 2018
CRCA 2005
EIR 2004 (covers foi relating to environmental matters)
Copyrights design and patents act 1988
FOI 2000
PRA 1958 (must manage data in accordance with FOI sec 46)

Question 25

How does your employer store data?

Answer 25

CDB - local taxation and SDLT EDRM- holds historic correspondence and plans NBS holds taxation info for non standard properties CWS holds CCA related information

Question 26

Fines under GDPR

Answer 26

4% of global turnover Or 20m euros

Question 27

What is ISO 27001

Answer 27

First published in 2005 by International organisation for standardisation (ISO) recently revised in 2022. Widely used global security framework focusing on data confidentiality,integrity and availability [CIA]. It involves audits followed by ongoing certification. Helps organisations have a better approach to data security

Question 28

What are the main differences between DPA and GDPR?

Answer 28

In summary, the GDPR serves as the foundational regulation for data protection in the EU, while the UK DPA 2018 adapts GDPR principles to the UK’s context, particularly after Brexit (There is a new accountability requirement- you are required to show how you comply with the principles).

Question 29

When did GDPR come into force

Answer 29

May 2018

Question 30

What is the DPA 2018

Answer 30

* The act replaces previous 1998 legislation and manages how personal data is processed by organisations and the government. * It is the UK legislation for the implementation of the EU General Data Protection Regulations (GDPR).

Question 31

When sharing FOR data, why does the name need redacting

Answer 31

Reg 17 allows IP to view rental info. Does not say in what required format. S18 of CRCA restricts how we share info. GDPR states we should be minimising data. As the contact details have no relevance they should be redacted

Question 32

How do you handle a UK GDPR (SAR request)

Answer 32

refer request to SAR team

Question 33

Difference between GDPR and UK GDPR

Answer 33

While the UK GDPR is based on the original EU GDPR and is very similar in its core principles, there are some key distinctions to be aware of. First, it's important to understand that the UK GDPR is essentially the EU GDPR that was incorporated into UK law after Brexit. As a result, both regulations share the same fundamental principles, including: * Data subject rights and obligations etc Key Differences post brexit *Jurisdiction and Applicability: * EU GDPR: Applies to organizations in the EU and to organizations outside the EU that olretainndata of individuals in the EU. * UK GDPR: Applies to organizations in the UK and to organizations outside the UK that retain data of individuals in the UK. * Supervisory Authority: * EU GDPR: Enforced by national data protection authorities in each EU Member State, coordinated by the European Data Protection Board (EDPB). * UK GDPR: Enforced by a single authority (ICO). Penalties and Fines: * EU GDPR: Fines are set in Euros, with a maximum of €20 million or 4% of a company's global annual turnover, whichever is higher. * UK GDPR: Fines are set in British Pounds, with a maximum of £17.5 million or 4% of a company's global annual turnover, whichever is higher. * Specific Adaptations: The UK GDPR has been adapted to fit the UK's legal framework. This includes modifications for areas such as: * National security, immigration, and intelligence services, which are largely excluded from the EU GDPR but are addressed by the UK's Data Protection Act 2018 (DPA 2018), which supplements the UK GDPR. * The age of digital consent for children, which is 13 in the UK, compared to 16 under the EU GDPR (though individual EU member states can set a lower age, not below 13).

Question 34

Diff between DPA and GDPR

Answer 34

GDPR - personal data DPA even non personal data even if annonamised

Question 35

Has the Data Management policy been affected by the merger of HMRC/VOA

Answer 35

No new rules introduced. Rather it reinforces VOA must comply with HMRC standards Includes guidance on emerging issues such as AI

Question 36

Data (Use and Access) Act 2025

Answer 36

- received royal assent in June 2025 with the plan to phase in by June 2026. - It introduced a new Information Gateway that allows for the sharing of personal information by HMRC for the purpose of providing digital verification services. The Act specifies that any person receiving information through this Gateway must not further disclose it, except with the consent of the Commissioners, and that a violation of this provision can result in penalties under the Commissioners for Revenue and Customs Act 2005

Question 37

explain your understanding of the term intellectual property?

Answer 37

* legal rights of creators and owners of songs, books, videos, photos and designs. * Allows their creators to control and protect unauthorised use.

Question 38

What is your understanding of the term ‘Meta Data’ and why is this important?

Answer 38

Meta Data is information about a specific piece of data for example when a photo is shared it may contain meta data on the location of where the photo was taken, the person who took the photo, the date the photo was taken on, its file size and the device it was taken on. As chartered surveyors, we must ensure that this meta data is afforded the same level of care as all other confidential data.

Question 39

What is your understanding of the term Confidentiality?

Answer 39

information which is protected from unauthorised access or disclosure.

Question 40

Who is the data controller in ure org.?

Answer 40

HMRC

Question 41

What is the protocol in ure org. when there is a data breach?

Answer 41

Must log report with IAD team within 48hrs

Question 42

What is an information barrier

Answer 42

Physical/electronic seperation which prevents information from being passed between individuals

Question 43

Data retention period under GDPR?

Answer 43

No longer than neccessery per GDPR VOA retention schedule

Question 44

What do you do if there is a data breach in ure organisation

Answer 44

Report to data protection officer in organisation within 48hrs

Question 45

Can you use FOR data in DVS?

Answer 45

Yes under S17

Question 46

Under Public Records Act 1958 how long can data be stored for?

Answer 46

20 years but my employer can apply for extension

Question 47

How do UK GDPR and the Data Protection Act 2018 apply to your work?

Answer 47

* UK GDPR sets the data protection principles and rights; the DPA 2018 implements and tailors them in UK law * so I ensure lawful basis, data minimisation and storage limitation in all case data.

Question 48

What is the purpose of the Freedom of Information Act 2000 in your context?

Answer 48

FOIA gives the public a right of access to recorded information held by public authorities; requests are handled via formal routes and assessed against exemptions before disclosure.