Data management Flashcards
What are the data security technologies available?
- Disk encryption
- Regular backups offsite
- Password protection
- Use of anti-virus software protection
- Firewalls and disaster recover procedures
What is copyright?
A set of exclusive rights granted to the author or creator of any original work including the right to copy.
These rights can be licensed, assigned or transferred.
Form of intellectual property.
What is Crown Copyright?
Refers to all material created and prepared by the Government, such as laws, public records, official press releases and OS mapping
What does GDPR stand for?
General Data Protection Regulation 2016
What is the Data Protection Act 2018?
UK’s implementation of GDPR
What does the Data Protection Act 2018 cover?
The Act is a complete data protection system so as well as governing personal data covered by GDPR, it covers all other general data
What did the Data Protection Act 2018 replace?
Data Protection Act 1998
When did the Data Protection Act 2018 come into force?
25th May 2018
What does the Data Protection Act 2018 aim to do?
To create a single data protection regime for anyone doing business in the EU and to empower individuals to take control of how their data is used by third parties.
What is the ICO?
Information Commissioner’s Office
How long do companies have to report data security breaches to the ICO?
72 hours
What are some of the obligations under the Data Protection Act 2018?
There is an obligation to conduct data protection impact assessments for high risk holding of data
What are the fines?
4% of global turnover or 20 million euros (whichever is greater)
Article 5(2) requires that the controller shall be responsible for what?
for and be able to demonstrate, compliance with principles
What are the 8 individual rights under GDPR?
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right to automated decision making and profiling
What is the Freedom of Information Act 2000?
It gives individuals the right of access to information held by public bodies
The public body is required to supply the infomration within what period?
Normally 20 working days in the format requested
What exceptions are there to the Freedom of Information Act 2000?
- Contrary to the GDPR requirements
- It would prejudice a criminal matter under investigation or a persons/organisation commercail interests
How can the security of electronic data be improved?
- Firewalls
- Encryption
- Passwords
What is the purpose behind the RICS Professional Statement on Data Handling and Prevention of Cybercrime?
Covers best practice and mandatory obligations with which RICS professionals and regulated firms must comply.
It addresses how surveyors capture, store and share data appropriately and securely and it is likely to mandate policies, practices and training for all regulated firms and members.
What is a Subject Access Request?
When a user requests information under Article 15 of GDPR
If a tenant would like access to some CCTV footage, what is required?
Subject Access Request
Liaise with data protection officer on what is required and what can be given
What is a firewall?
Network security system that monitors and controls incoming and outgoing network traffic, based on predetermined security rules
What is encryption?
Mathematical function that codes data so only authorized users can access it
Makes readable text unreadable unless a code or decryption key is known
What are the principles of GDPR and DPA 2018?
- Information must be used lawfully and transparently
- Information must be collected for a legitimate and specified purpose
- Information must be adequate and limited to necessity
- Information must be accurate and kept up to date
- Information must be kept safe and no longer than necessary
What are the obligations of GDPR?
- Must have knowledge of the data you store and process
- Must be able to delete every instance of an individuals data
- Must demonstrate compliance in managing data
- Must offer data portability
- Must be able to prove how information is being processed
How do you treat / manage confidential information?
- Conduct data reviews
- Anonymise data where possible
- Encrypt data where possible
- Treat commercial data as personal data
- Understand what data we hold and how it is processed
- Password protection and secure data sites
- Use of firewalls
- Have a breach policy response
What other legislation is there relating to data management apart from GDPR and Data protection Act 2018?
Freedom of information act 2000
Limitations Act 1980
How long can you hold data for?
No specific time limit – GDPR says no longer than necessary. Organisations privacy policy should dictate
As short as possible and as agreed with the data subject
Why was GDPR introduced?
To consolidate data protection laws across EU member countries and provide greater protection and rights to individuals
Why is it important that data is uploaded correctly?
To ensure protection of individuals data and compliance with legislation
When are you allowed to upload data / share date? How did you know you were allowed to do this?
Firms privacy notice dictates what data we hold, how it is processed and also how and when we might share with a third party and which third party it would be shared with.
For example, at the sale of a property.
This privacy notice is issued to all tenants.
How have consent conditions been strengthened under GDPR?
- Consent must be clear and indistinguishable from other matters
- Consent must be provided in an intelligible and easily accessible form, using clear and plain language
- Must be as easy to withdraw consent as it is to give consent
When can an individual request for their information to be deleted?
- If an individuals data has been unlawfully processed
- If an individuals data is no longer necessary for the purpose it was originally collected
What is privacy of design and is it a legal requirement?
Implementation of security systems into the original design of management systems as opposed to later additions – yes it’s a legal requirement
List the 7 key principles of GDPR?
- Lawfulness, fairness and transparency
- Purpose Limitation
- Data minimisation
- Accuracy
- Storage Limitations
- Integrity and Confidentiality
- Accountability
How long can you hold data for?
Shortest time is 6 years for accounting VAT/tax purposes but the Limitation Act 1980 provides for a period of up to 15 years for a professional negligence claim.
Depends on different factors though such as, do they include any original contracts or leases, do they relate to a current project, do you need them to justify your fees, are the files relevant to any disputes and are they needed for any litigation.
f an assignment completed on a lease please can you confirm how long you should hold the assignor information for on the system?
Would depend on the terms of the assignment
Is there an AGA in place, if so you would hold the assignor details until the end of the lease and then 6 plus one year.
Same for privity of contract
Could also argue you can hold details until arrears are cleared in full
What are CPSEs?
Commercial Property Standard Enquiries
What constitutes personal data?
Information relating to a person to identify that person
e.g names, photo, email, bank details, IP address
Give some examples of personal data and how they apply to property companies.
- Data relating to investors
- Data relating to fund managers / Clients
- Valuations
- Compliance
- Bookkeeping payroll
- Background checks
- HR
- Tenant information
What organisations are exempt from GDPR?
- Exceptions for organisations with fewer than 250 employees
- Private individuals not engaged in business activities
What is your firms data protection policy?
- Follow legislation
- Suspected breaches should be reported to the individual line managers or firms data protection officer
How do you apply your firms data protection policy?
- I ensure i have an understanding of sensitive and protected data
- I don’t send sensitive or protected data unless it is to the individual
- Anonymise information where possible
- I report suspected breaches
Who regulates GDPR in the UK?
The Information Commissioners Office
What are the obligations imposed by GDPR?
- MUST have knowledge of the data you store and process (including its location and security)
- MUST be able to delete every instance of individuals data
- MUST demonstrated compliance in managing data
- MUST be able to prove how information is being used
- MUST offer data portability
What are the RICS best practice guidance points for GDPR compliance?
- Conduct data reviews to understand risks
- Anonymise data where possible
- Encrypt where possible
- Create breach policy response
- Treat commercial data as personal data
- Understand data processes
Give me an example of how you process and handle confidential information?
- Use document systems to add, amend and remove information
- Upload files to secure data room
- Anonymise information
- Password protection to access files
What should be included in a firms privacy notice?
- What information you have
- What information will be used for
- Which third parties you may share information with
- How long information is being kept for
- What legal right the firm has