Data Management Flashcards
What is GDPR?
EU General Data Protection Regulation 2016 (GDPR)
What is the Data Protection Act 2018?
The UKs implementation of GDPR
When did the Data Protection Act come into force?
25th May 2018 -> replaced Data Potection act 1998
Is there any RICS guidance on Data Management?
(archived) RICS Guidance Note - Electronic Document Management
When did GDPR come into force?
May 2018 (same as DPA 2018)
Why was the Data Protection Act 2018 introduced?
1998 Act -> brought in to cover modern data and technology
2018 Act -> to incorporate new EU GDPR legislation
What are the principles of GDPR and DPA 2018?
- Information used lawfully, fairly and transparently
- collected for specified, explicit, and legitimate purposes
- Adequate, relevant and limited to necessity
- accurate (kept up to date)
- Kept no longer than necessary
- Kept safe
What are the individual rights under GDPR and DPA 2018?
- To be informed
- To access
- To rectification
- To erasure
- To restrict processing
- To data portability
- To object
- To automated decision making and profiling
What are th penalties under GDPR and DPA 2018?
Fines (4% of annual global turnover or 20 million Euros)
What is the purpose of GDPR?
Protect citizens data
What constitutes personal data?
Information relating to a person to identify that person
e.g. names, photo, email, bank details, IP address
Give some examples of personal data under GDPR that could apply to the property companies
- Data relating to investors
- Fund managers
- Valuations
- Compliance
- Bookkeeping payroll
- Background checks
- HR
To what organisations does GDPR apply?
All organisations
Are any organisations exempt from GDPR?
Exceptions for organisations with fewer than 250 employees
Private individuals not engaged in business activities
What is the ‘right to access’ under GDPR?
Individuals have the right to obtain confirmation that their data is being processed, access to their personal data and other supplementary information
What is a breach notification under GDPR?
GDPR introduces a duty on all organisations to report certain data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach
- WHere the breach is likely to result in a high risk of adversely affecting individuals rights, freedoms they must be informed without delay
How are breaches often discovered?
Access logs, reported thefts, lost equipment, or data security incident
How have consent conditions been strengthened under GDPR?
Consent must be given with the purpose for data procesing attached to that consent
- Consent must be clear and indistinguishable from other matters and provided in an intelligible and easily accesible form, using clear and plain language
- It must be as easy to withdraw consent as it is to give it
What is the right to be forgotten under gDPR?
Under Article 17 of the GDPR, individuals have the right to have personal files erased in certain circumstances
- i.e Data is no longer necessary for original purpose
- Data has been processed unlawfully
What is data portability?
Introduced by GDPR
- The right for a data subject to receive personal data concerning them which they have previously provided in a ‘commonly ue and machine readable format’ and have the right to transmit that data to another controller
What is privicy by design?
Legal requirement under GDPR
- Calls for the inclusion of data protection from the onset of designing systems, rather than as an addition
What is a data protection officer?
An individual appointed to monitor internal compliance, inform and advise on an organisations’ data protection obligations
Only required if organisation is a public body or authority or if the organisation carries out certain types of processing activities
Provide some examples of types of data held by surveying practices that are covered under GDPR?
- Data held to help service a Client (accounting info, compliance systems)
- Emails and other correspondence
- Other physical records held on file
- Customer data held for marketing purposes
What are the obligations imposed by GDPR?
- must have knowledge of the data you store and process (including its location and security)
- Have to be able to delete every instance of an individuals data
- Must demonstrate compliance in managing data
- Must be able to prove how information is being used
- Must offer data portability
Who regulates GDPR in the UK?
The Informatio Commissioners office
What are the RICS best practice points for compliance with GDPR?
- Conduct data reviews to understand risks
- Anonymise data where posisble
- Encrypt where possible
- Create breach policy response
- Treat commercial data as personal data (even though not covered under GDPR)
- Understand data processes
What is your companys policy for data protection
Suspected breaches should be reported to the individual line mnagers or the firms data protection officer
What is RICS best practice recommendations for using confidential information?
- Think about whether the information helf is personal information or confidential information
- Document processes for which you hold information and gaining consent to hold
- Keep a record of consent for processing, storage and retention
- Check if you have appropriate contractual clauses for use of the information or the data used is owned or licenced for that use
WHat should be included in a firms privacy notice?
- What information you have
- What information will be used for
- Which third parties you might share the information with
- How long information is being kept for
- What legal right the firm has
What is SAR?
Subject Access Request
- Demand that the individual be given all the information a company holds on them
What is the Freedom of Information Act and when did it come into force?
Freedom of Information Act 2000
- Gives individuals the right of access to information held by public bodies
- Public body must supply it in 20 working days (can charge a fee)
What is requried for a Land Registry Compliant Plan?
- Drawn to scale of 1:100 or 1:200
- Have a scale measurement bar
- Have the scale noted on a plan
- INclude a 1:1250 scale map of the location
- Full address
- North point
- Demise in red outline
What are the proviions of the Land Registry Act (2002)?
- A frame work for the electronic property surveyancing
- All freeholds and leases over 7 years must be registered
- New regime for adverse possession (over 10 years)
- Works towards Land Registry’s goal of having all property registered electronically by 2030
How do you comply with GDPR in your role?
- I report suspected breaches
- I do not give out confidential or personal information
- I keep records of consent for processing, storing and retaining data
- I understand the information we hold that is protected by GDPR
Give me an example of how you process and handle confidential information?
- I use document systems to add, amend and remove information - Data input forms
- When sending information to solicitors, i ensure files are uploaded to a secure data room
- Anonymised ELI information for TUPE
- Password and account to enter management systems
What does encryption mean?
Mathematical function that encodes data in such a way that only authorised users can access it
WHat is a fire wall?
Network security system that monitors and controls incoming and outcgoing network traffic based on predetermined security rules
Tell me about how you extract data from a source regularly used in your role
Extract data from leases and enter into a new lease input form. This is securely sent to Data Input who then upload the information to TRAMPS where the data is held securely for those with password access
What is ISO 9001?
Sets out the requirement on how firms should control data and documents relevant to the service they provide
What is the difference between a deed and a registered title?
Deed is a physical document declaring a persons legal ownership
Registered title is ownership recorded with Land Registry electronically
Give me an example of a property information tool
Government search website - title register
Sharepoint
vRoom
Horizon
TRAMPS
Can you tell me about the retention of files and the Limitations Act 1980?
Section 5 of Limitations Act 1980 says legal action must be brought within 6 years of issue arising
- Business then have a responsibility to keep documents for at least 6 years after they expire
What does the Privacy and Electronic Communications Regulations 2003 apply to?
Make it unlawful to transmit an automated recorded message for direct marketing purposes via telephone, without prior consent to the subscriber
Give me an example of how you ensure thatdata is kept securely
- Access is restricted to users by password
- Firewalls in place by IT team to protect against hacking
- Appropriate training undertaken to understand processes
What is an AVM?
Automated Valuation Model
- Mathematical / Statistical modelling with databases of existing properties and transactions to calculate real estate values
Does RICS provide any guidance on AVM?
RICS Road Map: Automated Valuation Models Roadmap for RICS members and stakeholders, 2021
Explain the growing use of AVMs in the industry?
Use of computer modelling in the science of valuation has merit in a world with increased availability and use of data
- may reduce expensive litigation
Are electronic signatures accepted by the Land Registry?
Yes, witnessed electronic signatures accepted from July 2020
What type of documents can be signed electronically?
Deeds - must be witnessed
Contracts
What is an Electronic Document Management System?
type of software that stores, organises and manages documents in the form of electronic files -> Sharepoint
