Data management

Question 1

What legislation covers data protection?

Answer 1

General Data Protection Regulation (GDPR)

In the UK, the Data Protection Act 2018 (DPA) covers processing that does not fall within EU law, for example relating to immigration and national security.

Question 2

What is the Data Protection Act?

Answer 2

Controls how your personal information is used by organisations, businesses or the government

Question 3

When did GDPR come into affect?

Answer 3

25 May 2018

Question 4

Have you completed any training on GRPR?

Answer 4

Yes. We have to undertake mandatory GDPR training every two years.

Question 5

What data does your company have?

Answer 5

• Details of current, past and prospective employees, clients, suppliers and others that we communicate with.
• Tenants

Question 6

What is personal data?

Answer 6

Personal data means any information relating to an identified or identifiable natural person (‘data subject’);

An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Source: Article 4 GDPR)

Question 7

Who ensures compliance?

Answer 7

Nominated Data Protection Officer (DPO)

The DPO is supported by a core team who provide assistance with a number of different areas relating to the protection of information and who can help with queries.

Question 8

Who does Freedom of Information Act Apply to?

Answer 8

Public right of access to information held by public authorities.

Question 9

Does GDPR apply post Brexit?

Answer 9

Yes, many aspects of GDPR will be converted into UK Law on 1st Jan 2021 under the titles UK GDPR. in turn companies will still need to comply? Double check this.

Question 10

What are the maximum fines (UK GDPR), how are the fines calculated?

Answer 10

£17.5 million

or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Question 11

What 10 tips to ensure compliance with GDPR?

Answer 11

1. Prepare diligently to ensure compliance
2. Assess any privacy risks inherent in business processes/activities
3. Involve IT support to make appropriate changes
4. Provide staff training and support on data security
5. Appoint a Data Protection Officer if required by GDPR
6. Ensure you have adequate systems to deal with a breach and subsequent notification to the ICO (within 72 hours)
7. Do your systems comply with all GDPR principles, including the right to be forgotten
8. Update your internet security, e.g. virus protection, including on desktops, laptops and mobile phones
9. Ensure any data already held is up to date and compliant with GDPR
10. Can you release personal data promptly if a subject access request is made?

Question 12

Who oversee information rights in the UK?

Answer 12

ICO - Information Commissioners Office

Question 13

How do you ensure data you hold on clients is kept secure and confidential?

Answer 13

• I use secure documents that are stored on password protected machines and servers.
• I also only keep the information I need and use it for the purpose it has been collected without passing it on unless I have approval prior.

Question 14

What are the 7 GDPR principles? -

(LFT-A-DM-SL-PL-A-S)

Answer 14

1. Lawfulness, fairness and transparency – leave the individual fully informed
2. Accuracy – where necessary kept up to date, erase inaccurate personal data without dela
3. Data minimisation – collect the minimum data you need
4. Storage limitation – Retain the data for a necessary limited period and then eras
5. Purpose limitation – must inform your clients about the purpose of the data collection
6. Accountability – Record and prove compliance
7. Security - Integrity and confidentiality – Keep it secure, locked filing cabinet or fire wall

Question 15

How have you changed the way you managed data during COVID-19 and home working?

Answer 15

• No paperwork/documents
• Only use work equipment
• Regular password changes

Question 16

How do DPA and GDPR differ?

Answer 16

Accountability to ensure that data is kept in accordance with the principles of GDPR

Tougher penalties for non-compliance
Wider definition of personal data

Non-EU organisations holding EU-related personal data will need to comply

Parental consent required for holding personal data of <16s

Active consent must be required to hold data, i.e. silence does not equal consent

Data breaches must be notified to ICO within 72 hours of awareness, unless exceptional circumstances apply

Risk-based reviews (Privacy Impact Assessments) must be undertaken for high risk activities

Right to be forgotten introduced

Requirements for electronic data portability if a data request is submitted

Compliance/privacy by design must be included within systems and processes, including staff training and contractual clauses

Additional liabilities placed on both data controllers and processors

Question 17

How do you ensure the data that you hold on your clients is kept secure and confidential?

Answer 17

• Limit access to sensitive data use smart passwords to resident details.
• Internal ICT perform regular updates for firewalls and antivirus protection.
• Internal servers permission for access to only those who need the information. Permission removed when you no longer need access to the information.

Question 18

Why do you keep company data for 12 years?

Answer 18

• It is a requirement of our PII insurance that all contracts under deed are kept for a minimum of 12 years and under hand for 6 years.
• I am aware of the limitation act to claims which can be brought about up to 15 years after the act of negligence.

Question 19

What is project extranet?

Answer 19

A computer network that allows controlled access from the outside for specific project purposes. Essentially is a system that allows individuals outside the company to view project files on a secure platform. (Revit)

Question 20

What is BIM?

Answer 20

Building Information Modelling. Software creating 3D models that allow industry professionals to better plan, design, construct and mange buildings/infrastructure.

Question 21

What are the disadvantages of BIM?

Answer 21

Very expensive and not all construction professionals use it and therefore less experts.

Question 22

What should you do if there is a data breach?

Answer 22

Inform the Information Commissioner’s Office not later than 72 hours after becoming aware of it.

Question 23

What are ISO Standards?

Answer 23

International Organisation for Standardisation

• An international standard setting body of representatives from varying national standards

Question 24

What is the limitations act?

Answer 24

The Limitation Act 1980

• Act of the Parliament of the United Kingdom applicable only to England and Wales.
• It is a statute of limitations which provides timescales within which action may be taken for breaches of the law.

Question 25

Can you give me some example of the data you manage ?

Answer 25

• Client details
• Project details
• Contractor details
• Project finances

Question 26

What are the GDPR rights? (IARERPO)

Answer 26

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Question 27

Can you expand on what BCIS is?

Answer 27

The Building Cost Information Service

• Provides cost and price data for the UK construction industry. It is a part of the Royal Institution of Chartered Surveyors.

Question 28

What are the benefits of using external data sources such as BCIS etc?

Answer 28

• Industry wide data
• Standardisation
• Data management

Question 29

Why is it important that we safeguard information?

Answer 29

As personal data can be used in various ways

Question 30

What kind of information is ‘sensitive’ information?

Answer 30

Health records, financial information, address, educational records etc

Question 31

Why do the General Data Protection Regulations 2018 exist?

Answer 31

To control how your personal information is used by organisations, businesses or the government

Question 32

How do you ensure the data that you hold on your clients is kept secure and confidential?

Answer 32

• We use an only system to carry out checks
• Operate a clear desk policy
• Shredding of details etc
• Two factor authentication of IT systems

Question 33

How long do you keep client’s data and how do you ensure it is deleted when necessary?

Answer 33

Dependent on the type of data and the contract:

• Under hand - 6 years
• Under deed - 12 years
• Limitations act – 15 years

Question 34

What types of breaches are there under GDPR?

(DDA)

Answer 34

• Disclosure
• Destruction
• Alteration

Question 35

What is copyright?

Answer 35

• Copyright is an intellectual property right assigned automatically to the creator.
• It prevents unauthorised copying and publishing of an original work.
• Copyright applies to research data and plays a role when creating, sharing and reusing data.

Question 36

What is a controller?

Answer 36

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Question 37

What is processor?

Answer 37

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Question 38

What is the role of a controller?

Answer 38

Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing

Question 39

What is the role of a processor?

Answer 39

Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own.

Question 40

What do you in the event of a data breach; what control measures are in place?

Answer 40

You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

Antivirus Protection
Email system is traffic monitored filtering spam/fraudulent emails
Data Protection Team - we must report to our Information, Governance & Feedback Information Team immediately (within 72 hours).
Also report to the IT Service Desk immediately.
Fill out Personal Data Breach Template

If I am in doubt, I would go to the Information Commissioners Office website for further information.

Question 41

What is data protection impact assessment?

Answer 41

Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.

Question 42

What do you do contractually with regards to data?

Answer 42

Clause is altered within the contract (1 of 2) depending on whether data collection will form part of the project in any way.