Data management Flashcards
What is the relationship between good data and property management?
How do you use SCC’s asset management system?
How do you use property databases such as CoStar?
How do you apply SCC e-learning on GDPR Data Protection Act 2018?
Principles:
1. use lawfully, fairly, transparently
2. collect for specific, explicit, legitimate purposes
3. adequate, relevant, limited to what’s needed
4. accurate, up-to-date
5. kept in way which identifies inds no longer than necessary
6. used and kept securely
(usually explained in privacy notice/policy)
ind rights:
- Subject Access Requests (within 1 month, no fee)
- data corrected, erased, restricted
- not to be subject to automated decision-making
(consent must be unambiguous, clear affirmative action i.e. ticking a box rather than not unticking it)
- data portability (move from 1 IT enviro to another)
LLISSA
Lawful
Limited
Identifies
Specific
Secure
Accurate
- orgs have 72 hours to report breach to ICO
- penalties up to 20 million euros / 4% of turnover, whichever greater
- any person who has suffered damage (inc distress) because of infringement of law has right to receive compensation
- inds can bring private claim, inc via a not-for-profit
- data controller:
the org/person responsible for determining purposes and means of processing personal data - data processor:
any org/person who processes data on behalf of data controller - personal data: any info relating to identified/identifiable natural person
- special categories personal data:
ratical/ethnic origin, politics, religion, trade union membership, genetic/biometric, health, sexuality
(requires explicit consent/necessary for employment/legal proceeding/protects vital interests/in the public domain/public interest)
good practice:
- look after info as if protecting own valuables and cash
- concentrate, don’t get distracted, stay aware of sensitivity
- if in doubt, contact Info Gov Officer
What is RICS guidance on client relationships and handling data?
Data handling
- Think about whether info hold is personal, sensitive or confidential
- Document the purposes for which you are allowed to hold the info and the processes for gaining consent if applicable
- Keep a record of consent (where needed) for processing, storage, retention
- Check if have appropriate contractual clauses for use of info
- Consider if right to use info in way you intend
(could there be damage to people/reputation of firm?
Just because can collect and use info doesn’t mean should
Just because you use for one purpose doesn’t mean automatically can use for another)
Privacy notices:
- Legally required/good practice to tell:
What info you have
What info will be used for
Which third parties you might share info with and why
How long you will keep the info for
What legal rights they have
- Generally achieved by writing a privacy notice/policy and making accessible e.g. on website
- But don’t just rely on notice, consider if helpful to give info e.g. when someone signs contract
Data breaches:
- Consider and document risks to data held
- Review regularly, at least annually
Data breaches can happen by:
Employee mistakes
Equipment failure
Hacking
Cyber-attacks
Malware (software designed to gain access to your computer systems)
Loss of equipment
Preventing employee breaches:
- Train staff
e.g. WFH
Processes
Conduct due dil on suppliers used to process info, mandatory contractual clauses see UK Information Commissioner’s Office “contracts and liabilities between controllers and processors”
If use cloud storage:
Understand jurisdiction where info held/cloud hosted/stakeholders located
Consider where encryption needed in transit/at rest e.g. emails
Consider additional encryption needed for e.g. bank/payment/health info
Data retention:
- Only keep as long as necessary
6 - 15 years
Data ownership:
- Firms may need to transfer file to new firm client instructs/directly to client, not all docs in working file may belong to client, depends on contract/service agreed/law
- Some law on what docs on a sol’s file belong to a client, broadly docs provided by client or paid for belong to them but internal notes/emails/copy correspondence may not;
However, client may also have right to access personal data you hold about them in those docs, if unsure what should be provided take legal advice
- Top tips:
Breach detection technology
Software updates regularly
Penetration testing regularly
Encryption
Firewalls (a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security tasks, a barrier between a trusted network and an untrusted network such as the internet)
Cyber insurance
Confidentiality and non-disclosure agreements:
- Confidentiality clauses
- Confidentiality agreements (CAs)
Nondisclosure agreements (NDAs) or
Confidential disclosure agreements (CDAs)
Which commercial information is confidential?
- Confidentiality is extremely important in many areas of e.g. valuation work.
- It is considered to be a general duty to treat client information resulting from a professional relationship as confidential information, whether held or disseminated electronically, verbally or in hard copy, unless it is already in the public domain.
- It is important to always keep in mind that the duty of confidentiality is continuous and ongoing, and includes current, past and potential clients.
- Info e.g. val may be communicated without breaching confidentiality if within knowledge of valuer and broad categories given (e.g. type location);
if client wants more detail, explicit consent can be sought from client A;
may refuse, can still act for both clients;
may need to consider conflict of interest/informed consent/refuse instruction
What is the legislation governing the Council’s data management?
- GDPR
EU regs
aims to address tech and social changes over last 20 years,
designed to strengthen the protection of personal info and extend the rights and control inds have over data - Data Protection Act 2018
fills in some gaps in GDPR esp in expanding legal basis for processing and circumstances exemptions apply - Freedom of Info Act 200
gives inds right to request info from public authorities
(within 20 working days)
How do you adhere to the Council’s Corporate Info Security Policy?
- access only the info needed for legitimate duties
- safeguard your network account, passwords, ID
- securely destroy all info before discarding
- delete all suspect and unsolicited emails without opening any attachments or clicking on links
- report all info security incidents to ICT helpdesk
How do you send sensitive data via email?
There are two secure options when sending sensitive personal data via email.
These are:
Sending to an external organisation where a secure link has been set up between us and them - a Transport layer security (TLS) link
Encrypting the message using PGP
Password protection should not be used on email attachments as it does not adequately protect the data. Also, password-protected documents cannot be properly checked for viruses and so may be quarantined by our email system.
You need a software licence to use PGP encryption. However, it’s invisible to the sender so is very easy to use. To switch it on, simply mark a message as confidential (in the sensitivity options) when sending to external recipient(s).
The message is not sent to the recipient(s). In fact, it doesn’t leave the council’s network - making it secure. Instead, the recipient(s) receive a message with a link to the council’s PGP page where they have to log in to view the message and any attachments.
The first time a recipient uses PGP, they have to set up a pass phrase, which they will use each time they receive an encrypted message. If they forget it, our ICT help desk can reset it for them.
How will AI affect surveying?
What is copyright?
What is the difference between a deed and a registered title?
A title is a concept which grants ownership rights to a property owner, while the deed is the legal document stating the rights of ownership.
How do you use an AVM?
Can you use electronic signatures?
What is VLOOKUP? What is a pivot table?