Data Management

Question 1

what are the GDPR consumer rights

Answer 1

A - Access
C – Consent
C - Correction
E – Erasure
P – Data Portability
ACCEP
(Accep your rights)

Question 2

what regulation governs laws on data protection and privacy

Answer 2

UK General data protection regulation 2020

Question 3

Article 5 of GDPR requires that personal data should be what? Name at least 3

Answer 3

• Processed lawfully, fairly in a transparent manner (PLT)
• Adequate, relevant, and limited to what is necessary
• Collected for specified explicit and legitimate purposes
• Kept in a form that permits identification of data for no longer than is necessary
• Accurate and kept up to date, where necessary
• Processed in a manner that ensures appropriate security of personal data.

PACKAP

Question 4

What is the maximum GDPR fine set by UK GDPR and DPA 2018

Answer 4

17.5 Million or 4% of annual global turnover (whichever is highest).

Question 5

Data offences can be punished by what? Name two (excluding fines).

Answer 5

• Warnings
• Temporary or permanent ban on data processing
• Restriction or erasure of data
• Suspend data transfers to third party countries.

Question 6

what is DPA 2018?

Answer 6

Data Protection Act 2018

• UK’s implementation of GDPR
• Replaced the DPA 1998

Question 7

Are you aware of the Freedom of Information Act 2000?

Answer 7

Yes it provides the public access to information held by public authorities.

Question 8

how do FOI Act 2000 requests work?

Answer 8

• Must be in writing

- Information must not be exempt e.g. personal data or national security

Question 9

What security measures can you use to protect data? Name at least 3

Answer 9

• Password protection
• Security markings
• Physically locking storage units
• Encryption firewalls
• Two factor authentication

Question 10

what best practices would you encourage in terms of managing data? Give at least 3

Answer 10

• Cross reference computer with hard copy
• Back up IT systems
• Write once, read many times
• Keep an audit trail
• Ensure electronic signature cannot be altered. (send PDF’s not word)

Question 11

you refer to a valuation of serviced offices in Malvern Hills as part of REVAL 2021, how did you use the data collected to advise the senior management of your view?

Question 12

tell me what you know about GDPR

Answer 12

General Data Protection Regulation

Following Brexit there is now a UK version called UK GDPR 2020
Set out the main responsibilities for organisations using, storing and handling personal data.

Article 5 sets out the consumer rights which includes the right to be informed, right to access, right to erase, right to correct and right to withdraw consent.

Applies to the VOA – right to correct is something we actively do in the Check stage of CCA and in Form of return where personal data is explicitly collected.

Question 13

How does Freedom of information work and how can it be used?

Answer 13

Individual can request information held by public bodies such as minutes from a board meeting

Request must be made in writing

Public body must supply in 20 working days and can charge for this service
Information must not be exempt e.g. personal data or national security.

Question 14

what is the latest change in data protection regulation?

Answer 14

DPA act
2020 GDPR
New professional statement on Data handling in consultation at the moment.

Question 15

How does GDPR affect your firm?

Question 16

what is the definition of personal data?

Answer 16

Personal data are any information which are related to an identified or identifiable person.

Question 17

what is encryption/firewalls/blockchain?

Answer 17

Encryption is a means of securing data by encoding it mathematically such that it can only be read, or decrypted, by those with the correct key or cipher.

A firewall is a network security device that monitors traffic to or from your network. It allows or blocks traffic based on a defined set of security rules.

A blockchain is a digitally distributed, decentralized, public ledger that exists across a network.

Question 18

describe a time you have used and managed data to communicate some complex, reasoned advice?

Answer 18

Reval, Office Malvern Hills

Question 19

give me an example of how you process and handle confidential information

Answer 19

IHT case:

• Don’t print what I don’t need to
• Ensure appropriate saving with correct name conventions
• Don’t leave computer unlocked and unattended

Question 20

tell me about how you extract data from a source regularly used in your role

Answer 20

Internal database – CDB for rental information
Set parameters for data to refine prior to download
Use filters on excel to refine the data to what I need

Question 21

what is an electronic document management system (EDMS)?

Answer 21

software package designed to manage electronic information and records within an organisation’s workflow.

Using various technologies, an EDMS allows a user to manage the creation, storage, and control of records while allowing other to access and edit documents.

Question 22

What type of documents can electronic signatures be used for?

Answer 22

Electronic signatures can be used to replace handwritten signatures in virtually every personal or business process. Examples include contracts, application forms and nondisclosure agreements

Question 23

Give me an example of how you ensure that data is kept securely.

Answer 23

Permission levels on edrm, restricts who can access the data, preventing conflict of interest in terms of accessing information. E.g someone in rating accessing plans and data collected for a different purpose.

Back up work / systems where necessary

When saving data within Electronic data recording system I ensure it is appropriately labelled as Official-sensitive information. To show others that care must be taken.

Question 24

how do you validate information

Answer 24

Cross check with another source
Call to get further information / confirm details
Adopt a common sense approach

Question 25

what are the strengths and limitations of primary/secondary data sources

Answer 25

Primary

Pro’s:
Specific to the needs
Greater control (type of data, design, method)
More up to date
May be more accurate

Cons:
Expensive (may make it more difficult)
Time consuming

Secondary

Pro’s:
Easily accessible
Affordable
Less time consummate g

Cons:
May lack reliability
May be outdated
May have to deal with irrelevant data before finding suitable data

Question 26

You shared rental evidence with an agent for rating purposes, did you have permission to share that information?

Answer 26

Yes - The Valuation Office Agency (VOA), as an executive agency of HMRC, is subject to the Commissioners for Revenue and Customs Act 2005 (CRCA) which covers: the confidentiality of information held by the VOA and when it is lawful to disclose that information.

The VOA is not permitted to disclose information except in certain limited circumstances, including, for the purposes of its functions, where there is a legislative gateway or with customer consent.

Sections 18 (2) and (3) of the Commissioners for Revenue and Customs Act (CRCA) 2005 allows sharing of data / information as long as it is reasonable and proportionate to do so.

The Billing Authority will treat all information supplied by the VOA as confidential even if the Information sharing agreement is terminated.

Question 27

How did you store the data collected for house in Kenilworth?

Answer 27

Electronically using word and excel

Uploaded my inspection notes and photographs to EDRM system with access restrictions and appropriate name and labelling.

Question 28

How do you ensure data is kept secure?

Answer 28

Main two points:
Keep it safe from corruption
Control access to data

I do this by:
Password protection
Not leaving computer or files unattended
Access restriction on EDRM
Computer system with regular back ups, encryption and anti-virus software

Question 29

Can other colleagues access information you are working on?

Answer 29

No if they are in a different team e.g. DVS then they will not be able to access information stored for rating purposes.

Question 30

Could conflicts arise from colleagues having access to certain information?

Answer 30

Yes it could occur if doing a DVS asset valuation and a rating colleague has access to this information. Could disadvantage the client as a result of accessing this data which was not requested for that purpose. Could go against GDPR, however CRCA act may justify it?

Question 31

Freedom of information act 2000 exemptions

Answer 31

Personal data
National security

Information held by the VOA for its functions that either directly identifies a person or enables their identity to be deduced from it, is exempt from disclosure under s44 of the
FoIA as it is prohibited by s23 of CRCA

Question 32

Tell me more about the data protection act 2018

Answer 32

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

be informed about how your data is being used
access personal data
have incorrect data updated
have data erased
stop or restrict the processing of your data
data portability (allowing you to get and reuse your data for different services)
object to how your data is processed in certain circumstances

Question 33

How long did you keep information for in the Kenilworth case and how is it disposed?

Answer 33

Kept for minimum of 6 years

At the VOA we have a team who deals with erasure and data disposal

Question 34

What regulation covers sharing data?

Answer 34

Commissioners for Revenue and Customs Act 2005

CRCA ACT

Question 35

benefits of cloud based systems

Answer 35

• information is backed up by encrypted servers
• accessibility can be manged via online settings
• cheaper than physically storing and managing files
• more convenient to send and share files online instead of mailing physical copies
• cloud systems are environmentally friendly
• multiple users can access the same document and work on it at the same time.

Question 36

meaning of a non disclosure agreement

Answer 36

Used to protect against the disclosure or sharing of any confidential data.

Prior to the information being shared, clients will typically request that the recipient signs up to an NDA.

Often used to prevent confidential or sensitive property information being used or talked about by competitors.

Question 37

if two departments withing your firm were working for two rival companies how would you ensure client sensitive data was managed?

Answer 37

Make client aware of risks
Conflict of interest protocol
Informed consent
Keep staff exclusively in one team
NDA’s
Separate working locations
Use secure document systems with access restrictions

Question 38

who are the key persons outlined within GDPR?

Answer 38

Controller – person that determines the purpose and means of processing personal data e.g. the employer.

Processor – person that processes personal data on behalf of the controller e.g., call centres acting on behalf of its client.

Data Protection Officer – leadership role required by EU GDPR. Responsible for overseeing the data protection approach strategy and implementation.

Question 39

what should companies put into place to ensure GDPR compliance?

Answer 39

• Raise awareness across the business
• Audit personal data
• Review procedures supporting individual rights
• Identify and document the legal basis for processing personal data under GDPR
• Train staff and give them the information

Question 40

What personal and confidential information does the VO hold?

Answer 40

Personal data relating to VOA employees
Emails containing sensitive or confidential information
Customer correspondence received in confidence
Customer records
Property information
Contractual information relating to past, present or potential future companies

Question 41

define what disclosure means?

Answer 41

The sharing of information with others
Before sharing information you must be sure you have the right to disclose it and the person requestion it has the right to receive it.

Question 42

what does CRCA set the VO’s functions as?

Answer 42

Producing rating lists
Council tax valuation lists
Valuation of property

Question 43

what two ways does the freedom of information act provide the public with access to information held by public authorities?

Answer 43

Public authorities are obliged to publish certain information about their activities.

Members of the public are entitled to request information from public authorities.

Question 44

when would you disclose information about taxpayers (or their properties) or our customers to third parties?

Answer 44

In line with CRCA Act 2005:

• If essential for one of our functions
• In line with legislation or statutory gateway under LGFA
• With consent of the taxpayer, customer or client
• For civil proceedings such as valuation tribunal hearings

For example, the law allows us to disclose rental information when dealing with a rating challenge. The law also then allows an appellant to request additional rental information proportionate to the rental information we disclose.

Question 45

How would you deal with someone requestion to access their own personal information?

Answer 45

There is a deadline of one month to respond to a request. I would forward any request where a requester asks for their own information to the SAR inbox immediately by emailing.

if the request is part of an outstanding case, I would consider if it can be dealt with more appropriately as business as usual under CRCA.

This is known as a Subject Access Request.

A verbal request for property information cannot always be answered verbally. We may require verification of the person’s link to the property before deciding whether we can disclose information.

Question 46

How would you deal with a freedom of information request?

Answer 46

Check the request is made in writing (email/letter)
Check it includes the requester’s name and address and clearly describe the information wanted.
Forward request to FOI inbox team